diff --git a/.gitignore b/.gitignore index 0ac2699..2e3326d 100644 --- a/.gitignore +++ b/.gitignore @@ -800,4 +800,6 @@ pyrightconfig.json # End of https://www.toptal.com/developers/gitignore/api/rider,intellij,intellij+all,dotnetcore,csharp,python -**/appsettings*.json \ No newline at end of file +**/appsettings*.json + +.DS_Store diff --git a/OptifitWebServices.sln b/OptifitWebServices.sln index e0fc7d6..07fd5fc 100644 --- a/OptifitWebServices.sln +++ b/OptifitWebServices.sln @@ -9,6 +9,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "CatalogService", "src\Catal EndProject Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Shared", "src\Shared\Shared.csproj", "{BF49B348-4188-4AC7-9ED4-5837F4B3BCD2}" EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "IdentitySvc", "src\IdentitySvc\IdentitySvc.csproj", "{74C8ACD5-5DC4-4466-8846-B552FF131304}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Any CPU = Debug|Any CPU @@ -26,9 +28,14 @@ Global {BF49B348-4188-4AC7-9ED4-5837F4B3BCD2}.Debug|Any CPU.Build.0 = Debug|Any CPU {BF49B348-4188-4AC7-9ED4-5837F4B3BCD2}.Release|Any CPU.ActiveCfg = Release|Any CPU {BF49B348-4188-4AC7-9ED4-5837F4B3BCD2}.Release|Any CPU.Build.0 = Release|Any CPU + {74C8ACD5-5DC4-4466-8846-B552FF131304}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {74C8ACD5-5DC4-4466-8846-B552FF131304}.Debug|Any CPU.Build.0 = Debug|Any CPU + {74C8ACD5-5DC4-4466-8846-B552FF131304}.Release|Any CPU.ActiveCfg = Release|Any CPU + {74C8ACD5-5DC4-4466-8846-B552FF131304}.Release|Any CPU.Build.0 = Release|Any CPU EndGlobalSection GlobalSection(NestedProjects) = preSolution {54BE8DE8-08BD-429F-BCCA-3363A879D922} = {2A7200CA-F40B-4715-8726-4ED30C785FA4} {BF49B348-4188-4AC7-9ED4-5837F4B3BCD2} = {2A7200CA-F40B-4715-8726-4ED30C785FA4} + {74C8ACD5-5DC4-4466-8846-B552FF131304} = {2A7200CA-F40B-4715-8726-4ED30C785FA4} EndGlobalSection EndGlobal diff --git a/docs/architecture.md b/docs/architecture.md new file mode 100644 index 0000000..e69de29 diff --git a/src/CatalogService/CatalogService.csproj b/src/CatalogService/CatalogService.csproj index 497f0c0..ef3b228 100644 --- a/src/CatalogService/CatalogService.csproj +++ b/src/CatalogService/CatalogService.csproj @@ -2,7 +2,7 @@ net8.0 - disable + enable enable true @@ -13,6 +13,7 @@ + all runtime; build; native; contentfiles; analyzers; buildtransitive diff --git a/src/CatalogService/Controllers/ExercicesController.cs b/src/CatalogService/Controllers/ExercicesController.cs new file mode 100644 index 0000000..c45a807 --- /dev/null +++ b/src/CatalogService/Controllers/ExercicesController.cs @@ -0,0 +1,77 @@ +using AutoMapper; +using CatalogService.Data; +using CatalogService.DTOs; +using CatalogService.Entities; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; +using Microsoft.EntityFrameworkCore; +using Shared.DTOs; + +namespace CatalogService.Controllers; + +[ApiController] +[Route("api/[controller]")] +public class ExercicesController : ControllerBase +{ + private readonly CatalogDbContext _context; + private readonly IMapper _mapper; + + public ExercicesController(CatalogDbContext context, IMapper mapper) + { + _context = context; + _mapper = mapper; + } + + [Authorize] + [HttpPost] + public async Task Create([FromBody] CreateExerciceTemplateDto dto) + { + if (User.Identity.Name != "admin") return Forbid(); + + var exercice = _mapper.Map(dto); + _context.Exercices.Add(exercice); + await _context.SaveChangesAsync(); + return CreatedAtAction(nameof(GetById), new { id = exercice.Id }, _mapper.Map(exercice)); + } + + [Authorize] + [HttpPut("{id}")] + public async Task Update(string id, [FromBody] UpdateExerciceTemplateDto dto) + { + if (User.Identity.Name != "admin") return Forbid(); + + var exercice = await _context.Exercices.FindAsync(id); + if (exercice == null) return NotFound(); + + _mapper.Map(dto, exercice); + exercice.UpdatedAt = DateTime.UtcNow; + await _context.SaveChangesAsync(); + return NoContent(); + } + + [Authorize] + [HttpDelete("{id}")] + public async Task Delete(string id) + { + if (User.Identity.Name != "admin") return Forbid(); + + var exercice = await _context.Exercices.FindAsync(id); + if (exercice == null) return NotFound(); + + _context.Exercices.Remove(exercice); + await _context.SaveChangesAsync(); + return NoContent(); + } + + [Authorize] + [HttpGet("{id}")] + public async Task> GetById(string id) + { + if (User.Identity.Name != "admin") return Forbid(); + + var exercice = await _context.Exercices.FindAsync(id); + if (exercice == null) return NotFound(); + + return _mapper.Map(exercice); + } +} \ No newline at end of file diff --git a/src/CatalogService/DTOs/CreateExerciceTemplateDto.cs b/src/CatalogService/DTOs/CreateExerciceTemplateDto.cs index 7104e69..bc2aae5 100644 --- a/src/CatalogService/DTOs/CreateExerciceTemplateDto.cs +++ b/src/CatalogService/DTOs/CreateExerciceTemplateDto.cs @@ -6,10 +6,9 @@ namespace CatalogService.DTOs; public class CreateExerciceTemplateDto { [Required] - public string Name { get; set; } - - [Required] - public string Description { get; set; } + public required string Name { get; set; } + + public string? Description { get; set; } = default; public ETarget? Target { get; set; } = ETarget.None; diff --git a/src/Shared/DTOs/ExerciceTemplateDto.cs b/src/CatalogService/DTOs/ExerciceTemplateDto.cs similarity index 94% rename from src/Shared/DTOs/ExerciceTemplateDto.cs rename to src/CatalogService/DTOs/ExerciceTemplateDto.cs index 18b96b0..9b10968 100644 --- a/src/Shared/DTOs/ExerciceTemplateDto.cs +++ b/src/CatalogService/DTOs/ExerciceTemplateDto.cs @@ -1,6 +1,6 @@ using Shared.Enum; -namespace Shared.DTOs; +namespace CatalogService.DTOs; public class ExerciceTemplateDto { diff --git a/src/CatalogService/DTOs/UpdateExerciceTemplateDto.cs b/src/CatalogService/DTOs/UpdateExerciceTemplateDto.cs new file mode 100644 index 0000000..e19a600 --- /dev/null +++ b/src/CatalogService/DTOs/UpdateExerciceTemplateDto.cs @@ -0,0 +1,20 @@ +using System.ComponentModel.DataAnnotations; +using Shared.Enum; + +namespace CatalogService.DTOs; + +public class UpdateExerciceTemplateDto +{ + [Required] + public required string Id { get; set; } + + public string? Name { get; set; } + + public string? Description { get; set; } + + public ETarget? Target { get; set; } + + public string? ImageUrl { get; set; } + + public string? VideoUrl { get; set; } +} \ No newline at end of file diff --git a/src/CatalogService/Program.cs b/src/CatalogService/Program.cs index cc4a318..a541e54 100644 --- a/src/CatalogService/Program.cs +++ b/src/CatalogService/Program.cs @@ -1,4 +1,5 @@ using CatalogService.Data; +using Microsoft.AspNetCore.Authentication.JwtBearer; using Microsoft.EntityFrameworkCore; var builder = WebApplication.CreateBuilder(args); @@ -10,10 +11,18 @@ builder.Services.AddDbContext(opt => opt.UseNpgsql(builder.Configuration.GetConnectionString("CatalogDb")); }); - +builder.Services.AddAutoMapper(AppDomain.CurrentDomain.GetAssemblies()); +builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme) + .AddJwtBearer(options => + { + options.Authority = builder.Configuration["IdentityServiceUrl"]; + options.RequireHttpsMetadata = false; + options.TokenValidationParameters.ValidateAudience = false; + options.TokenValidationParameters.NameClaimType = "username"; + }); var app = builder.Build(); - +app.UseAuthentication(); app.UseAuthorization(); app.MapControllers(); diff --git a/src/CatalogService/RequestHelpers/MappingProfiles.cs b/src/CatalogService/RequestHelpers/MappingProfiles.cs new file mode 100644 index 0000000..a1f98bb --- /dev/null +++ b/src/CatalogService/RequestHelpers/MappingProfiles.cs @@ -0,0 +1,16 @@ +using AutoMapper; +using CatalogService.DTOs; +using CatalogService.Entities; + +namespace CatalogService.RequestHelpers; + +public class MappingProfiles : Profile +{ + public MappingProfiles() + { + CreateMap(); + CreateMap(); + CreateMap(); + CreateMap(); + } +} \ No newline at end of file diff --git a/src/IdentitySvc/Config.cs b/src/IdentitySvc/Config.cs new file mode 100644 index 0000000..a5010f4 --- /dev/null +++ b/src/IdentitySvc/Config.cs @@ -0,0 +1,62 @@ +using Duende.IdentityServer.Models; + +namespace IdentitySvc; + +public static class Config +{ + public static IEnumerable IdentityResources => + new IdentityResource[] + { + new IdentityResources.OpenId(), + new IdentityResources.Profile(), + }; + + public static IEnumerable ApiScopes => + new ApiScope[] + { + new ApiScope("optifitApp", "Optifit App API Scope"), + //new ApiScope("scope2"), + }; + + public static IEnumerable Clients => + new Client[] + { + // m2m client credentials flow client + /*new Client + { + ClientId = "m2m.client", + ClientName = "Client Credentials Client", + + AllowedGrantTypes = GrantTypes.ClientCredentials, + ClientSecrets = { new Secret("511536EF-F270-4058-80CA-1C89C192F69A".Sha256()) }, + + AllowedScopes = { "scope1" } + },*/ + + // interactive client using code flow + pkce + /*new Client + { + ClientId = "interactive", + ClientSecrets = { new Secret("49C1A7E1-0C79-4A89-A3D6-A37998FB86B0".Sha256()) }, + + AllowedGrantTypes = GrantTypes.Code, + + RedirectUris = { "https://localhost:44300/signin-oidc" }, + FrontChannelLogoutUri = "https://localhost:44300/signout-oidc", + PostLogoutRedirectUris = { "https://localhost:44300/signout-callback-oidc" }, + + AllowOfflineAccess = true, + AllowedScopes = { "openid", "profile", "scope2" } + },*/ + + new Client + { + ClientId = "postman", + ClientName = "Postman", + AllowedScopes = {"openid", "profile", "optifitApp"}, + RedirectUris = {"https://www.getpostman.com/oauth2/callback"}, + ClientSecrets = new[] {new Secret("NotASecret".Sha256())}, + AllowedGrantTypes = {GrantType.ResourceOwnerPassword} + } + }; +} diff --git a/src/IdentitySvc/Controllers/RegisterApiController.cs b/src/IdentitySvc/Controllers/RegisterApiController.cs new file mode 100644 index 0000000..1966487 --- /dev/null +++ b/src/IdentitySvc/Controllers/RegisterApiController.cs @@ -0,0 +1,45 @@ +using IdentitySvc.Models; +using Microsoft.AspNetCore.Identity; +using Microsoft.AspNetCore.Mvc; +using System.Threading.Tasks; + +namespace IdentitySvc.Controllers; + +[ApiController] +[Route("api/[controller]")] +public class RegisterApiController : ControllerBase +{ + private readonly UserManager _userManager; + + public RegisterApiController(UserManager userManager) + { + _userManager = userManager; + } + + [HttpPost] + public async Task Register([FromBody] RegisterApiDto dto) + { + if (dto.Username != "Harry") + return BadRequest("Invalid registration data."); + var user = new ApplicationUser + { + UserName = dto.Username, + Email = dto.Email, + EmailConfirmed = true + }; + + var result = await _userManager.CreateAsync(user, dto.Password); + + if (!result.Succeeded) + return BadRequest(result.Errors); + + return StatusCode(201); + } +} + +public class RegisterApiDto +{ + public string Username { get; set; } + public string Email { get; set; } + public string Password { get; set; } +} \ No newline at end of file diff --git a/src/IdentitySvc/Data/ApplicationDbContext.cs b/src/IdentitySvc/Data/ApplicationDbContext.cs new file mode 100644 index 0000000..d23944e --- /dev/null +++ b/src/IdentitySvc/Data/ApplicationDbContext.cs @@ -0,0 +1,21 @@ +using Microsoft.AspNetCore.Identity.EntityFrameworkCore; +using Microsoft.EntityFrameworkCore; +using IdentitySvc.Models; + +namespace IdentitySvc.Data; + +public class ApplicationDbContext : IdentityDbContext +{ + public ApplicationDbContext(DbContextOptions options) + : base(options) + { + } + + protected override void OnModelCreating(ModelBuilder builder) + { + base.OnModelCreating(builder); + // Customize the ASP.NET Identity model and override the defaults if needed. + // For example, you can rename the ASP.NET Identity table names and more. + // Add your customizations after calling base.OnModelCreating(builder); + } +} diff --git a/src/IdentitySvc/Data/Migrations/20250525164319_InitialCreate.Designer.cs b/src/IdentitySvc/Data/Migrations/20250525164319_InitialCreate.Designer.cs new file mode 100644 index 0000000..c3773e2 --- /dev/null +++ b/src/IdentitySvc/Data/Migrations/20250525164319_InitialCreate.Designer.cs @@ -0,0 +1,277 @@ +// +using System; +using IdentitySvc.Data; +using Microsoft.EntityFrameworkCore; +using Microsoft.EntityFrameworkCore.Infrastructure; +using Microsoft.EntityFrameworkCore.Migrations; +using Microsoft.EntityFrameworkCore.Storage.ValueConversion; +using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata; + +#nullable disable + +namespace IdentitySvc.Data.Migrations +{ + [DbContext(typeof(ApplicationDbContext))] + [Migration("20250525164319_InitialCreate")] + partial class InitialCreate + { + /// + protected override void BuildTargetModel(ModelBuilder modelBuilder) + { +#pragma warning disable 612, 618 + modelBuilder + .HasAnnotation("ProductVersion", "8.0.11") + .HasAnnotation("Relational:MaxIdentifierLength", 63); + + NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder); + + modelBuilder.Entity("IdentitySvc.Models.ApplicationUser", b => + { + b.Property("Id") + .HasColumnType("text"); + + b.Property("AccessFailedCount") + .HasColumnType("integer"); + + b.Property("ConcurrencyStamp") + .IsConcurrencyToken() + .HasColumnType("text"); + + b.Property("Email") + .HasMaxLength(256) + .HasColumnType("character varying(256)"); + + b.Property("EmailConfirmed") + .HasColumnType("boolean"); + + b.Property("LockoutEnabled") + .HasColumnType("boolean"); + + b.Property("LockoutEnd") + .HasColumnType("timestamp with time zone"); + + b.Property("NormalizedEmail") + .HasMaxLength(256) + .HasColumnType("character varying(256)"); + + b.Property("NormalizedUserName") + .HasMaxLength(256) + .HasColumnType("character varying(256)"); + + b.Property("PasswordHash") + .HasColumnType("text"); + + b.Property("PhoneNumber") + .HasColumnType("text"); + + b.Property("PhoneNumberConfirmed") + .HasColumnType("boolean"); + + b.Property("SecurityStamp") + .HasColumnType("text"); + + b.Property("TwoFactorEnabled") + .HasColumnType("boolean"); + + b.Property("UserName") + .HasMaxLength(256) + .HasColumnType("character varying(256)"); + + b.HasKey("Id"); + + b.HasIndex("NormalizedEmail") + .HasDatabaseName("EmailIndex"); + + b.HasIndex("NormalizedUserName") + .IsUnique() + .HasDatabaseName("UserNameIndex"); + + b.ToTable("AspNetUsers", (string)null); + }); + + modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRole", b => + { + b.Property("Id") + .HasColumnType("text"); + + b.Property("ConcurrencyStamp") + .IsConcurrencyToken() + .HasColumnType("text"); + + b.Property("Name") + .HasMaxLength(256) + .HasColumnType("character varying(256)"); + + b.Property("NormalizedName") + .HasMaxLength(256) + .HasColumnType("character varying(256)"); + + b.HasKey("Id"); + + b.HasIndex("NormalizedName") + .IsUnique() + .HasDatabaseName("RoleNameIndex"); + + b.ToTable("AspNetRoles", (string)null); + }); + + modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim", b => + { + b.Property("Id") + .ValueGeneratedOnAdd() + .HasColumnType("integer"); + + NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property("Id")); + + b.Property("ClaimType") + .HasColumnType("text"); + + b.Property("ClaimValue") + .HasColumnType("text"); + + b.Property("RoleId") + .IsRequired() + .HasColumnType("text"); + + b.HasKey("Id"); + + b.HasIndex("RoleId"); + + b.ToTable("AspNetRoleClaims", (string)null); + }); + + modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserClaim", b => + { + b.Property("Id") + .ValueGeneratedOnAdd() + .HasColumnType("integer"); + + NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property("Id")); + + b.Property("ClaimType") + .HasColumnType("text"); + + b.Property("ClaimValue") + .HasColumnType("text"); + + b.Property("UserId") + .IsRequired() + .HasColumnType("text"); + + b.HasKey("Id"); + + b.HasIndex("UserId"); + + b.ToTable("AspNetUserClaims", (string)null); + }); + + modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserLogin", b => + { + b.Property("LoginProvider") + .HasColumnType("text"); + + b.Property("ProviderKey") + .HasColumnType("text"); + + b.Property("ProviderDisplayName") + .HasColumnType("text"); + + b.Property("UserId") + .IsRequired() + .HasColumnType("text"); + + b.HasKey("LoginProvider", "ProviderKey"); + + b.HasIndex("UserId"); + + b.ToTable("AspNetUserLogins", (string)null); + }); + + modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserRole", b => + { + b.Property("UserId") + .HasColumnType("text"); + + b.Property("RoleId") + .HasColumnType("text"); + + b.HasKey("UserId", "RoleId"); + + b.HasIndex("RoleId"); + + b.ToTable("AspNetUserRoles", (string)null); + }); + + modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserToken", b => + { + b.Property("UserId") + .HasColumnType("text"); + + b.Property("LoginProvider") + .HasColumnType("text"); + + b.Property("Name") + .HasColumnType("text"); + + b.Property("Value") + .HasColumnType("text"); + + b.HasKey("UserId", "LoginProvider", "Name"); + + b.ToTable("AspNetUserTokens", (string)null); + }); + + modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim", b => + { + b.HasOne("Microsoft.AspNetCore.Identity.IdentityRole", null) + .WithMany() + .HasForeignKey("RoleId") + .OnDelete(DeleteBehavior.Cascade) + .IsRequired(); + }); + + modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserClaim", b => + { + b.HasOne("IdentitySvc.Models.ApplicationUser", null) + .WithMany() + .HasForeignKey("UserId") + .OnDelete(DeleteBehavior.Cascade) + .IsRequired(); + }); + + modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserLogin", b => + { + b.HasOne("IdentitySvc.Models.ApplicationUser", null) + .WithMany() + .HasForeignKey("UserId") + .OnDelete(DeleteBehavior.Cascade) + .IsRequired(); + }); + + modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserRole", b => + { + b.HasOne("Microsoft.AspNetCore.Identity.IdentityRole", null) + .WithMany() + .HasForeignKey("RoleId") + .OnDelete(DeleteBehavior.Cascade) + .IsRequired(); + + b.HasOne("IdentitySvc.Models.ApplicationUser", null) + .WithMany() + .HasForeignKey("UserId") + .OnDelete(DeleteBehavior.Cascade) + .IsRequired(); + }); + + modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserToken", b => + { + b.HasOne("IdentitySvc.Models.ApplicationUser", null) + .WithMany() + .HasForeignKey("UserId") + .OnDelete(DeleteBehavior.Cascade) + .IsRequired(); + }); +#pragma warning restore 612, 618 + } + } +} diff --git a/src/IdentitySvc/Data/Migrations/20250525164319_InitialCreate.cs b/src/IdentitySvc/Data/Migrations/20250525164319_InitialCreate.cs new file mode 100644 index 0000000..c798a2b --- /dev/null +++ b/src/IdentitySvc/Data/Migrations/20250525164319_InitialCreate.cs @@ -0,0 +1,223 @@ +using System; +using Microsoft.EntityFrameworkCore.Migrations; +using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata; + +#nullable disable + +namespace IdentitySvc.Data.Migrations +{ + /// + public partial class InitialCreate : Migration + { + /// + protected override void Up(MigrationBuilder migrationBuilder) + { + migrationBuilder.CreateTable( + name: "AspNetRoles", + columns: table => new + { + Id = table.Column(type: "text", nullable: false), + Name = table.Column(type: "character varying(256)", maxLength: 256, nullable: true), + NormalizedName = table.Column(type: "character varying(256)", maxLength: 256, nullable: true), + ConcurrencyStamp = table.Column(type: "text", nullable: true) + }, + constraints: table => + { + table.PrimaryKey("PK_AspNetRoles", x => x.Id); + }); + + migrationBuilder.CreateTable( + name: "AspNetUsers", + columns: table => new + { + Id = table.Column(type: "text", nullable: false), + UserName = table.Column(type: "character varying(256)", maxLength: 256, nullable: true), + NormalizedUserName = table.Column(type: "character varying(256)", maxLength: 256, nullable: true), + Email = table.Column(type: "character varying(256)", maxLength: 256, nullable: true), + NormalizedEmail = table.Column(type: "character varying(256)", maxLength: 256, nullable: true), + EmailConfirmed = table.Column(type: "boolean", nullable: false), + PasswordHash = table.Column(type: "text", nullable: true), + SecurityStamp = table.Column(type: "text", nullable: true), + ConcurrencyStamp = table.Column(type: "text", nullable: true), + PhoneNumber = table.Column(type: "text", nullable: true), + PhoneNumberConfirmed = table.Column(type: "boolean", nullable: false), + TwoFactorEnabled = table.Column(type: "boolean", nullable: false), + LockoutEnd = table.Column(type: "timestamp with time zone", nullable: true), + LockoutEnabled = table.Column(type: "boolean", nullable: false), + AccessFailedCount = table.Column(type: "integer", nullable: false) + }, + constraints: table => + { + table.PrimaryKey("PK_AspNetUsers", x => x.Id); + }); + + migrationBuilder.CreateTable( + name: "AspNetRoleClaims", + columns: table => new + { + Id = table.Column(type: "integer", nullable: false) + .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn), + RoleId = table.Column(type: "text", nullable: false), + ClaimType = table.Column(type: "text", nullable: true), + ClaimValue = table.Column(type: "text", nullable: true) + }, + constraints: table => + { + table.PrimaryKey("PK_AspNetRoleClaims", x => x.Id); + table.ForeignKey( + name: "FK_AspNetRoleClaims_AspNetRoles_RoleId", + column: x => x.RoleId, + principalTable: "AspNetRoles", + principalColumn: "Id", + onDelete: ReferentialAction.Cascade); + }); + + migrationBuilder.CreateTable( + name: "AspNetUserClaims", + columns: table => new + { + Id = table.Column(type: "integer", nullable: false) + .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn), + UserId = table.Column(type: "text", nullable: false), + ClaimType = table.Column(type: "text", nullable: true), + ClaimValue = table.Column(type: "text", nullable: true) + }, + constraints: table => + { + table.PrimaryKey("PK_AspNetUserClaims", x => x.Id); + table.ForeignKey( + name: "FK_AspNetUserClaims_AspNetUsers_UserId", + column: x => x.UserId, + principalTable: "AspNetUsers", + principalColumn: "Id", + onDelete: ReferentialAction.Cascade); + }); + + migrationBuilder.CreateTable( + name: "AspNetUserLogins", + columns: table => new + { + LoginProvider = table.Column(type: "text", nullable: false), + ProviderKey = table.Column(type: "text", nullable: false), + ProviderDisplayName = table.Column(type: "text", nullable: true), + UserId = table.Column(type: "text", nullable: false) + }, + constraints: table => + { + table.PrimaryKey("PK_AspNetUserLogins", x => new { x.LoginProvider, x.ProviderKey }); + table.ForeignKey( + name: "FK_AspNetUserLogins_AspNetUsers_UserId", + column: x => x.UserId, + principalTable: "AspNetUsers", + principalColumn: "Id", + onDelete: ReferentialAction.Cascade); + }); + + migrationBuilder.CreateTable( + name: "AspNetUserRoles", + columns: table => new + { + UserId = table.Column(type: "text", nullable: false), + RoleId = table.Column(type: "text", nullable: false) + }, + constraints: table => + { + table.PrimaryKey("PK_AspNetUserRoles", x => new { x.UserId, x.RoleId }); + table.ForeignKey( + name: "FK_AspNetUserRoles_AspNetRoles_RoleId", + column: x => x.RoleId, + principalTable: "AspNetRoles", + principalColumn: "Id", + onDelete: ReferentialAction.Cascade); + table.ForeignKey( + name: "FK_AspNetUserRoles_AspNetUsers_UserId", + column: x => x.UserId, + principalTable: "AspNetUsers", + principalColumn: "Id", + onDelete: ReferentialAction.Cascade); + }); + + migrationBuilder.CreateTable( + name: "AspNetUserTokens", + columns: table => new + { + UserId = table.Column(type: "text", nullable: false), + LoginProvider = table.Column(type: "text", nullable: false), + Name = table.Column(type: "text", nullable: false), + Value = table.Column(type: "text", nullable: true) + }, + constraints: table => + { + table.PrimaryKey("PK_AspNetUserTokens", x => new { x.UserId, x.LoginProvider, x.Name }); + table.ForeignKey( + name: "FK_AspNetUserTokens_AspNetUsers_UserId", + column: x => x.UserId, + principalTable: "AspNetUsers", + principalColumn: "Id", + onDelete: ReferentialAction.Cascade); + }); + + migrationBuilder.CreateIndex( + name: "IX_AspNetRoleClaims_RoleId", + table: "AspNetRoleClaims", + column: "RoleId"); + + migrationBuilder.CreateIndex( + name: "RoleNameIndex", + table: "AspNetRoles", + column: "NormalizedName", + unique: true); + + migrationBuilder.CreateIndex( + name: "IX_AspNetUserClaims_UserId", + table: "AspNetUserClaims", + column: "UserId"); + + migrationBuilder.CreateIndex( + name: "IX_AspNetUserLogins_UserId", + table: "AspNetUserLogins", + column: "UserId"); + + migrationBuilder.CreateIndex( + name: "IX_AspNetUserRoles_RoleId", + table: "AspNetUserRoles", + column: "RoleId"); + + migrationBuilder.CreateIndex( + name: "EmailIndex", + table: "AspNetUsers", + column: "NormalizedEmail"); + + migrationBuilder.CreateIndex( + name: "UserNameIndex", + table: "AspNetUsers", + column: "NormalizedUserName", + unique: true); + } + + /// + protected override void Down(MigrationBuilder migrationBuilder) + { + migrationBuilder.DropTable( + name: "AspNetRoleClaims"); + + migrationBuilder.DropTable( + name: "AspNetUserClaims"); + + migrationBuilder.DropTable( + name: "AspNetUserLogins"); + + migrationBuilder.DropTable( + name: "AspNetUserRoles"); + + migrationBuilder.DropTable( + name: "AspNetUserTokens"); + + migrationBuilder.DropTable( + name: "AspNetRoles"); + + migrationBuilder.DropTable( + name: "AspNetUsers"); + } + } +} diff --git a/src/IdentitySvc/Data/Migrations/ApplicationDbContextModelSnapshot.cs b/src/IdentitySvc/Data/Migrations/ApplicationDbContextModelSnapshot.cs new file mode 100644 index 0000000..36b150c --- /dev/null +++ b/src/IdentitySvc/Data/Migrations/ApplicationDbContextModelSnapshot.cs @@ -0,0 +1,274 @@ +// +using System; +using IdentitySvc.Data; +using Microsoft.EntityFrameworkCore; +using Microsoft.EntityFrameworkCore.Infrastructure; +using Microsoft.EntityFrameworkCore.Storage.ValueConversion; +using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata; + +#nullable disable + +namespace IdentitySvc.Data.Migrations +{ + [DbContext(typeof(ApplicationDbContext))] + partial class ApplicationDbContextModelSnapshot : ModelSnapshot + { + protected override void BuildModel(ModelBuilder modelBuilder) + { +#pragma warning disable 612, 618 + modelBuilder + .HasAnnotation("ProductVersion", "8.0.11") + .HasAnnotation("Relational:MaxIdentifierLength", 63); + + NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder); + + modelBuilder.Entity("IdentitySvc.Models.ApplicationUser", b => + { + b.Property("Id") + .HasColumnType("text"); + + b.Property("AccessFailedCount") + .HasColumnType("integer"); + + b.Property("ConcurrencyStamp") + .IsConcurrencyToken() + .HasColumnType("text"); + + b.Property("Email") + .HasMaxLength(256) + .HasColumnType("character varying(256)"); + + b.Property("EmailConfirmed") + .HasColumnType("boolean"); + + b.Property("LockoutEnabled") + .HasColumnType("boolean"); + + b.Property("LockoutEnd") + .HasColumnType("timestamp with time zone"); + + b.Property("NormalizedEmail") + .HasMaxLength(256) + .HasColumnType("character varying(256)"); + + b.Property("NormalizedUserName") + .HasMaxLength(256) + .HasColumnType("character varying(256)"); + + b.Property("PasswordHash") + .HasColumnType("text"); + + b.Property("PhoneNumber") + .HasColumnType("text"); + + b.Property("PhoneNumberConfirmed") + .HasColumnType("boolean"); + + b.Property("SecurityStamp") + .HasColumnType("text"); + + b.Property("TwoFactorEnabled") + .HasColumnType("boolean"); + + b.Property("UserName") + .HasMaxLength(256) + .HasColumnType("character varying(256)"); + + b.HasKey("Id"); + + b.HasIndex("NormalizedEmail") + .HasDatabaseName("EmailIndex"); + + b.HasIndex("NormalizedUserName") + .IsUnique() + .HasDatabaseName("UserNameIndex"); + + b.ToTable("AspNetUsers", (string)null); + }); + + modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRole", b => + { + b.Property("Id") + .HasColumnType("text"); + + b.Property("ConcurrencyStamp") + .IsConcurrencyToken() + .HasColumnType("text"); + + b.Property("Name") + .HasMaxLength(256) + .HasColumnType("character varying(256)"); + + b.Property("NormalizedName") + .HasMaxLength(256) + .HasColumnType("character varying(256)"); + + b.HasKey("Id"); + + b.HasIndex("NormalizedName") + .IsUnique() + .HasDatabaseName("RoleNameIndex"); + + b.ToTable("AspNetRoles", (string)null); + }); + + modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim", b => + { + b.Property("Id") + .ValueGeneratedOnAdd() + .HasColumnType("integer"); + + NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property("Id")); + + b.Property("ClaimType") + .HasColumnType("text"); + + b.Property("ClaimValue") + .HasColumnType("text"); + + b.Property("RoleId") + .IsRequired() + .HasColumnType("text"); + + b.HasKey("Id"); + + b.HasIndex("RoleId"); + + b.ToTable("AspNetRoleClaims", (string)null); + }); + + modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserClaim", b => + { + b.Property("Id") + .ValueGeneratedOnAdd() + .HasColumnType("integer"); + + NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property("Id")); + + b.Property("ClaimType") + .HasColumnType("text"); + + b.Property("ClaimValue") + .HasColumnType("text"); + + b.Property("UserId") + .IsRequired() + .HasColumnType("text"); + + b.HasKey("Id"); + + b.HasIndex("UserId"); + + b.ToTable("AspNetUserClaims", (string)null); + }); + + modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserLogin", b => + { + b.Property("LoginProvider") + .HasColumnType("text"); + + b.Property("ProviderKey") + .HasColumnType("text"); + + b.Property("ProviderDisplayName") + .HasColumnType("text"); + + b.Property("UserId") + .IsRequired() + .HasColumnType("text"); + + b.HasKey("LoginProvider", "ProviderKey"); + + b.HasIndex("UserId"); + + b.ToTable("AspNetUserLogins", (string)null); + }); + + modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserRole", b => + { + b.Property("UserId") + .HasColumnType("text"); + + b.Property("RoleId") + .HasColumnType("text"); + + b.HasKey("UserId", "RoleId"); + + b.HasIndex("RoleId"); + + b.ToTable("AspNetUserRoles", (string)null); + }); + + modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserToken", b => + { + b.Property("UserId") + .HasColumnType("text"); + + b.Property("LoginProvider") + .HasColumnType("text"); + + b.Property("Name") + .HasColumnType("text"); + + b.Property("Value") + .HasColumnType("text"); + + b.HasKey("UserId", "LoginProvider", "Name"); + + b.ToTable("AspNetUserTokens", (string)null); + }); + + modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim", b => + { + b.HasOne("Microsoft.AspNetCore.Identity.IdentityRole", null) + .WithMany() + .HasForeignKey("RoleId") + .OnDelete(DeleteBehavior.Cascade) + .IsRequired(); + }); + + modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserClaim", b => + { + b.HasOne("IdentitySvc.Models.ApplicationUser", null) + .WithMany() + .HasForeignKey("UserId") + .OnDelete(DeleteBehavior.Cascade) + .IsRequired(); + }); + + modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserLogin", b => + { + b.HasOne("IdentitySvc.Models.ApplicationUser", null) + .WithMany() + .HasForeignKey("UserId") + .OnDelete(DeleteBehavior.Cascade) + .IsRequired(); + }); + + modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserRole", b => + { + b.HasOne("Microsoft.AspNetCore.Identity.IdentityRole", null) + .WithMany() + .HasForeignKey("RoleId") + .OnDelete(DeleteBehavior.Cascade) + .IsRequired(); + + b.HasOne("IdentitySvc.Models.ApplicationUser", null) + .WithMany() + .HasForeignKey("UserId") + .OnDelete(DeleteBehavior.Cascade) + .IsRequired(); + }); + + modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserToken", b => + { + b.HasOne("IdentitySvc.Models.ApplicationUser", null) + .WithMany() + .HasForeignKey("UserId") + .OnDelete(DeleteBehavior.Cascade) + .IsRequired(); + }); +#pragma warning restore 612, 618 + } + } +} diff --git a/src/IdentitySvc/HostingExtensions.cs b/src/IdentitySvc/HostingExtensions.cs new file mode 100644 index 0000000..0f5f0fa --- /dev/null +++ b/src/IdentitySvc/HostingExtensions.cs @@ -0,0 +1,70 @@ +using Duende.IdentityServer; +using IdentitySvc.Data; +using IdentitySvc.Models; +using IdentitySvc.Services; +using Microsoft.AspNetCore.Identity; +using Microsoft.EntityFrameworkCore; +using Serilog; + +namespace IdentitySvc; + +internal static class HostingExtensions +{ + public static WebApplication ConfigureServices(this WebApplicationBuilder builder) + { + builder.Services.AddRazorPages(); + + builder.Services.AddDbContext(options => + options.UseNpgsql(builder.Configuration.GetConnectionString("DefaultConnection"))); + + builder.Services.AddIdentity() + .AddEntityFrameworkStores() + .AddDefaultTokenProviders(); + + builder.Services + .AddIdentityServer(options => + { + options.Events.RaiseErrorEvents = true; + options.Events.RaiseInformationEvents = true; + options.Events.RaiseFailureEvents = true; + options.Events.RaiseSuccessEvents = true; + + // see https://docs.duendesoftware.com/identityserver/v6/fundamentals/resources/ + // options.EmitStaticAudienceClaim = true; + }) + .AddInMemoryIdentityResources(Config.IdentityResources) + .AddInMemoryApiScopes(Config.ApiScopes) + .AddInMemoryClients(Config.Clients) + .AddAspNetIdentity() + .AddProfileService(); + + builder.Services.ConfigureApplicationCookie(options => + { + options.Cookie.SameSite = SameSiteMode.Lax; + }); + + builder.Services.AddAuthentication(); + + return builder.Build(); + } + + public static WebApplication ConfigurePipeline(this WebApplication app) + { + app.UseSerilogRequestLogging(); + + if (app.Environment.IsDevelopment()) + { + app.UseDeveloperExceptionPage(); + } + + app.UseStaticFiles(); + app.UseRouting(); + app.UseIdentityServer(); + app.UseAuthorization(); + + app.MapRazorPages() + .RequireAuthorization(); + + return app; + } +} \ No newline at end of file diff --git a/src/IdentitySvc/IdentitySvc.csproj b/src/IdentitySvc/IdentitySvc.csproj new file mode 100644 index 0000000..1473669 --- /dev/null +++ b/src/IdentitySvc/IdentitySvc.csproj @@ -0,0 +1,22 @@ + + + + net8.0 + enable + enable + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/src/IdentitySvc/Models/ApplicationUser.cs b/src/IdentitySvc/Models/ApplicationUser.cs new file mode 100644 index 0000000..b570cb4 --- /dev/null +++ b/src/IdentitySvc/Models/ApplicationUser.cs @@ -0,0 +1,12 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + + +using Microsoft.AspNetCore.Identity; + +namespace IdentitySvc.Models; + +// Add profile data for application users by adding properties to the ApplicationUser class +public class ApplicationUser : IdentityUser +{ +} diff --git a/src/IdentitySvc/Pages/Account/AccessDenied.cshtml b/src/IdentitySvc/Pages/Account/AccessDenied.cshtml new file mode 100644 index 0000000..65c56cf --- /dev/null +++ b/src/IdentitySvc/Pages/Account/AccessDenied.cshtml @@ -0,0 +1,10 @@ +@page +@model IdentitySvc.Pages.Account.AccessDeniedModel +@{ +} +
+
+

Access Denied

+

You do not have permission to access that resource.

+
+
\ No newline at end of file diff --git a/src/IdentitySvc/Pages/Account/AccessDenied.cshtml.cs b/src/IdentitySvc/Pages/Account/AccessDenied.cshtml.cs new file mode 100644 index 0000000..d9a51d4 --- /dev/null +++ b/src/IdentitySvc/Pages/Account/AccessDenied.cshtml.cs @@ -0,0 +1,13 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +using Microsoft.AspNetCore.Mvc.RazorPages; + +namespace IdentitySvc.Pages.Account; + +public class AccessDeniedModel : PageModel +{ + public void OnGet() + { + } +} diff --git a/src/IdentitySvc/Pages/Account/Login/Index.cshtml b/src/IdentitySvc/Pages/Account/Login/Index.cshtml new file mode 100644 index 0000000..a45f6dc --- /dev/null +++ b/src/IdentitySvc/Pages/Account/Login/Index.cshtml @@ -0,0 +1,89 @@ +@page +@model IdentitySvc.Pages.Login.Index + + \ No newline at end of file diff --git a/src/IdentitySvc/Pages/Account/Login/Index.cshtml.cs b/src/IdentitySvc/Pages/Account/Login/Index.cshtml.cs new file mode 100644 index 0000000..2a37d18 --- /dev/null +++ b/src/IdentitySvc/Pages/Account/Login/Index.cshtml.cs @@ -0,0 +1,216 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +using Duende.IdentityServer; +using Duende.IdentityServer.Events; +using Duende.IdentityServer.Models; +using Duende.IdentityServer.Services; +using Duende.IdentityServer.Stores; +using IdentitySvc.Models; +using Microsoft.AspNetCore.Authentication; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Identity; +using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc.RazorPages; + +namespace IdentitySvc.Pages.Login; + +[SecurityHeaders] +[AllowAnonymous] +public class Index : PageModel +{ + private readonly UserManager _userManager; + private readonly SignInManager _signInManager; + private readonly IIdentityServerInteractionService _interaction; + private readonly IEventService _events; + private readonly IAuthenticationSchemeProvider _schemeProvider; + private readonly IIdentityProviderStore _identityProviderStore; + + public ViewModel View { get; set; } = default!; + + [BindProperty] + public InputModel Input { get; set; } = default!; + + public Index( + IIdentityServerInteractionService interaction, + IAuthenticationSchemeProvider schemeProvider, + IIdentityProviderStore identityProviderStore, + IEventService events, + UserManager userManager, + SignInManager signInManager) + { + _userManager = userManager; + _signInManager = signInManager; + _interaction = interaction; + _schemeProvider = schemeProvider; + _identityProviderStore = identityProviderStore; + _events = events; + } + + public async Task OnGet(string? returnUrl) + { + await BuildModelAsync(returnUrl); + + if (View.IsExternalLoginOnly) + { + // we only have one option for logging in and it's an external provider + return RedirectToPage("/ExternalLogin/Challenge", new { scheme = View.ExternalLoginScheme, returnUrl }); + } + + return Page(); + } + + public async Task OnPost() + { + // check if we are in the context of an authorization request + var context = await _interaction.GetAuthorizationContextAsync(Input.ReturnUrl); + + // the user clicked the "cancel" button + if (Input.Button != "login") + { + if (context != null) + { + // This "can't happen", because if the ReturnUrl was null, then the context would be null + ArgumentNullException.ThrowIfNull(Input.ReturnUrl, nameof(Input.ReturnUrl)); + + // if the user cancels, send a result back into IdentityServer as if they + // denied the consent (even if this client does not require consent). + // this will send back an access denied OIDC error response to the client. + await _interaction.DenyAuthorizationAsync(context, AuthorizationError.AccessDenied); + + // we can trust model.ReturnUrl since GetAuthorizationContextAsync returned non-null + if (context.IsNativeClient()) + { + // The client is native, so this change in how to + // return the response is for better UX for the end user. + return this.LoadingPage(Input.ReturnUrl); + } + + return Redirect(Input.ReturnUrl ?? "~/"); + } + else + { + // since we don't have a valid context, then we just go back to the home page + return Redirect("~/"); + } + } + + if (ModelState.IsValid) + { + var result = await _signInManager.PasswordSignInAsync(Input.Username!, Input.Password!, Input.RememberLogin, lockoutOnFailure: true); + if (result.Succeeded) + { + var user = await _userManager.FindByNameAsync(Input.Username!); + await _events.RaiseAsync(new UserLoginSuccessEvent(user!.UserName, user.Id, user.UserName, clientId: context?.Client.ClientId)); + Telemetry.Metrics.UserLogin(context?.Client.ClientId, IdentityServerConstants.LocalIdentityProvider); + + if (context != null) + { + // This "can't happen", because if the ReturnUrl was null, then the context would be null + ArgumentNullException.ThrowIfNull(Input.ReturnUrl, nameof(Input.ReturnUrl)); + + if (context.IsNativeClient()) + { + // The client is native, so this change in how to + // return the response is for better UX for the end user. + return this.LoadingPage(Input.ReturnUrl); + } + + // we can trust model.ReturnUrl since GetAuthorizationContextAsync returned non-null + return Redirect(Input.ReturnUrl ?? "~/"); + } + + // request for a local page + if (Url.IsLocalUrl(Input.ReturnUrl)) + { + return Redirect(Input.ReturnUrl); + } + else if (string.IsNullOrEmpty(Input.ReturnUrl)) + { + return Redirect("~/"); + } + else + { + // user might have clicked on a malicious link - should be logged + throw new ArgumentException("invalid return URL"); + } + } + + const string error = "invalid credentials"; + await _events.RaiseAsync(new UserLoginFailureEvent(Input.Username, error, clientId:context?.Client.ClientId)); + Telemetry.Metrics.UserLoginFailure(context?.Client.ClientId, IdentityServerConstants.LocalIdentityProvider, error); + ModelState.AddModelError(string.Empty, LoginOptions.InvalidCredentialsErrorMessage); + } + + // something went wrong, show form with error + await BuildModelAsync(Input.ReturnUrl); + return Page(); + } + + private async Task BuildModelAsync(string? returnUrl) + { + Input = new InputModel + { + ReturnUrl = returnUrl + }; + + var context = await _interaction.GetAuthorizationContextAsync(returnUrl); + if (context?.IdP != null && await _schemeProvider.GetSchemeAsync(context.IdP) != null) + { + var local = context.IdP == Duende.IdentityServer.IdentityServerConstants.LocalIdentityProvider; + + // this is meant to short circuit the UI and only trigger the one external IdP + View = new ViewModel + { + EnableLocalLogin = local, + }; + + Input.Username = context.LoginHint; + + if (!local) + { + View.ExternalProviders = new[] { new ViewModel.ExternalProvider ( authenticationScheme: context.IdP ) }; + } + + return; + } + + var schemes = await _schemeProvider.GetAllSchemesAsync(); + + var providers = schemes + .Where(x => x.DisplayName != null) + .Select(x => new ViewModel.ExternalProvider + ( + authenticationScheme: x.Name, + displayName: x.DisplayName ?? x.Name + )).ToList(); + + var dynamicSchemes = (await _identityProviderStore.GetAllSchemeNamesAsync()) + .Where(x => x.Enabled) + .Select(x => new ViewModel.ExternalProvider + ( + authenticationScheme: x.Scheme, + displayName: x.DisplayName ?? x.Scheme + )); + providers.AddRange(dynamicSchemes); + + + var allowLocal = true; + var client = context?.Client; + if (client != null) + { + allowLocal = client.EnableLocalLogin; + if (client.IdentityProviderRestrictions != null && client.IdentityProviderRestrictions.Count != 0) + { + providers = providers.Where(provider => client.IdentityProviderRestrictions.Contains(provider.AuthenticationScheme)).ToList(); + } + } + + View = new ViewModel + { + AllowRememberLogin = LoginOptions.AllowRememberLogin, + EnableLocalLogin = allowLocal && LoginOptions.AllowLocalLogin, + ExternalProviders = providers.ToArray() + }; + } +} diff --git a/src/IdentitySvc/Pages/Account/Login/InputModel.cs b/src/IdentitySvc/Pages/Account/Login/InputModel.cs new file mode 100644 index 0000000..7b40060 --- /dev/null +++ b/src/IdentitySvc/Pages/Account/Login/InputModel.cs @@ -0,0 +1,17 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +using System.ComponentModel.DataAnnotations; + +namespace IdentitySvc.Pages.Login; + +public class InputModel +{ + [Required] + public string? Username { get; set; } + [Required] + public string? Password { get; set; } + public bool RememberLogin { get; set; } + public string? ReturnUrl { get; set; } + public string? Button { get; set; } +} \ No newline at end of file diff --git a/src/IdentitySvc/Pages/Account/Login/LoginOptions.cs b/src/IdentitySvc/Pages/Account/Login/LoginOptions.cs new file mode 100644 index 0000000..087784e --- /dev/null +++ b/src/IdentitySvc/Pages/Account/Login/LoginOptions.cs @@ -0,0 +1,12 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +namespace IdentitySvc.Pages.Login; + +public static class LoginOptions +{ + public static readonly bool AllowLocalLogin = true; + public static readonly bool AllowRememberLogin = true; + public static readonly TimeSpan RememberMeLoginDuration = TimeSpan.FromDays(30); + public static readonly string InvalidCredentialsErrorMessage = "Invalid username or password"; +} \ No newline at end of file diff --git a/src/IdentitySvc/Pages/Account/Login/ViewModel.cs b/src/IdentitySvc/Pages/Account/Login/ViewModel.cs new file mode 100644 index 0000000..ebdf99f --- /dev/null +++ b/src/IdentitySvc/Pages/Account/Login/ViewModel.cs @@ -0,0 +1,28 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +namespace IdentitySvc.Pages.Login; + +public class ViewModel +{ + public bool AllowRememberLogin { get; set; } = true; + public bool EnableLocalLogin { get; set; } = true; + + public IEnumerable ExternalProviders { get; set; } = Enumerable.Empty(); + public IEnumerable VisibleExternalProviders => ExternalProviders.Where(x => !String.IsNullOrWhiteSpace(x.DisplayName)); + + public bool IsExternalLoginOnly => EnableLocalLogin == false && ExternalProviders?.Count() == 1; + public string? ExternalLoginScheme => IsExternalLoginOnly ? ExternalProviders?.SingleOrDefault()?.AuthenticationScheme : null; + + public class ExternalProvider + { + public ExternalProvider(string authenticationScheme, string? displayName = null) + { + AuthenticationScheme = authenticationScheme; + DisplayName = displayName; + } + + public string? DisplayName { get; set; } + public string AuthenticationScheme { get; set; } + } +} \ No newline at end of file diff --git a/src/IdentitySvc/Pages/Account/Logout/Index.cshtml b/src/IdentitySvc/Pages/Account/Logout/Index.cshtml new file mode 100644 index 0000000..79cb1f5 --- /dev/null +++ b/src/IdentitySvc/Pages/Account/Logout/Index.cshtml @@ -0,0 +1,17 @@ +@page +@model IdentitySvc.Pages.Logout.Index + +
+
+

Logout

+

Would you like to logout of IdentityServer?

+
+ +
+ + +
+ +
+
+
\ No newline at end of file diff --git a/src/IdentitySvc/Pages/Account/Logout/Index.cshtml.cs b/src/IdentitySvc/Pages/Account/Logout/Index.cshtml.cs new file mode 100644 index 0000000..c73c93e --- /dev/null +++ b/src/IdentitySvc/Pages/Account/Logout/Index.cshtml.cs @@ -0,0 +1,104 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +using Duende.IdentityServer.Events; +using Duende.IdentityServer.Extensions; +using Duende.IdentityServer.Services; +using IdentityModel; +using IdentitySvc.Models; +using Microsoft.AspNetCore.Authentication; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Identity; +using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc.RazorPages; + +namespace IdentitySvc.Pages.Logout; + +[SecurityHeaders] +[AllowAnonymous] +public class Index : PageModel +{ + private readonly SignInManager _signInManager; + private readonly IIdentityServerInteractionService _interaction; + private readonly IEventService _events; + + [BindProperty] + public string? LogoutId { get; set; } + + public Index(SignInManager signInManager, IIdentityServerInteractionService interaction, IEventService events) + { + _signInManager = signInManager; + _interaction = interaction; + _events = events; + } + + public async Task OnGet(string? logoutId) + { + LogoutId = logoutId; + + var showLogoutPrompt = LogoutOptions.ShowLogoutPrompt; + + if (User.Identity?.IsAuthenticated != true) + { + // if the user is not authenticated, then just show logged out page + showLogoutPrompt = false; + } + else + { + var context = await _interaction.GetLogoutContextAsync(LogoutId); + if (context?.ShowSignoutPrompt == false) + { + // it's safe to automatically sign-out + showLogoutPrompt = false; + } + } + + if (showLogoutPrompt == false) + { + // if the request for logout was properly authenticated from IdentityServer, then + // we don't need to show the prompt and can just log the user out directly. + return await OnPost(); + } + + return Page(); + } + + public async Task OnPost() + { + if (User.Identity?.IsAuthenticated == true) + { + // if there's no current logout context, we need to create one + // this captures necessary info from the current logged in user + // this can still return null if there is no context needed + LogoutId ??= await _interaction.CreateLogoutContextAsync(); + + // delete local authentication cookie + await _signInManager.SignOutAsync(); + + // see if we need to trigger federated logout + var idp = User.FindFirst(JwtClaimTypes.IdentityProvider)?.Value; + + // raise the logout event + await _events.RaiseAsync(new UserLogoutSuccessEvent(User.GetSubjectId(), User.GetDisplayName())); + Telemetry.Metrics.UserLogout(idp); + + // if it's a local login we can ignore this workflow + if (idp != null && idp != Duende.IdentityServer.IdentityServerConstants.LocalIdentityProvider) + { + // we need to see if the provider supports external logout + if (await HttpContext.GetSchemeSupportsSignOutAsync(idp)) + { + // build a return URL so the upstream provider will redirect back + // to us after the user has logged out. this allows us to then + // complete our single sign-out processing. + var url = Url.Page("/Account/Logout/Loggedout", new { logoutId = LogoutId }); + + // this triggers a redirect to the external provider for sign-out + return SignOut(new AuthenticationProperties { RedirectUri = url }, idp); + } + } + } + + return RedirectToPage("/Account/Logout/LoggedOut", new { logoutId = LogoutId }); + } +} diff --git a/src/IdentitySvc/Pages/Account/Logout/LoggedOut.cshtml b/src/IdentitySvc/Pages/Account/Logout/LoggedOut.cshtml new file mode 100644 index 0000000..d57a2a8 --- /dev/null +++ b/src/IdentitySvc/Pages/Account/Logout/LoggedOut.cshtml @@ -0,0 +1,30 @@ +@page +@model IdentitySvc.Pages.Logout.LoggedOut + +
+

+ Logout + You are now logged out +

+ + @if (Model.View.PostLogoutRedirectUri != null) + { +
+ Click here to return to the + @Model.View.ClientName application. +
+ } + + @if (Model.View.SignOutIframeUrl != null) + { + + } +
+ +@section scripts +{ + @if (Model.View.AutomaticRedirectAfterSignOut) + { + + } +} \ No newline at end of file diff --git a/src/IdentitySvc/Pages/Account/Logout/LoggedOut.cshtml.cs b/src/IdentitySvc/Pages/Account/Logout/LoggedOut.cshtml.cs new file mode 100644 index 0000000..57ffcaa --- /dev/null +++ b/src/IdentitySvc/Pages/Account/Logout/LoggedOut.cshtml.cs @@ -0,0 +1,36 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +using Duende.IdentityServer.Services; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc.RazorPages; + +namespace IdentitySvc.Pages.Logout; + +[SecurityHeaders] +[AllowAnonymous] +public class LoggedOut : PageModel +{ + private readonly IIdentityServerInteractionService _interactionService; + + public LoggedOutViewModel View { get; set; } = default!; + + public LoggedOut(IIdentityServerInteractionService interactionService) + { + _interactionService = interactionService; + } + + public async Task OnGet(string? logoutId) + { + // get context information (client name, post logout redirect URI and iframe for federated signout) + var logout = await _interactionService.GetLogoutContextAsync(logoutId); + + View = new LoggedOutViewModel + { + AutomaticRedirectAfterSignOut = LogoutOptions.AutomaticRedirectAfterSignOut, + PostLogoutRedirectUri = logout?.PostLogoutRedirectUri, + ClientName = String.IsNullOrEmpty(logout?.ClientName) ? logout?.ClientId : logout?.ClientName, + SignOutIframeUrl = logout?.SignOutIFrameUrl + }; + } +} diff --git a/src/IdentitySvc/Pages/Account/Logout/LoggedOutViewModel.cs b/src/IdentitySvc/Pages/Account/Logout/LoggedOutViewModel.cs new file mode 100644 index 0000000..c066a48 --- /dev/null +++ b/src/IdentitySvc/Pages/Account/Logout/LoggedOutViewModel.cs @@ -0,0 +1,15 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +namespace IdentitySvc.Pages.Logout; + +public class LoggedOutViewModel +{ + public string? PostLogoutRedirectUri { get; set; } + public string? ClientName { get; set; } + public string? SignOutIframeUrl { get; set; } + public bool AutomaticRedirectAfterSignOut { get; set; } +} diff --git a/src/IdentitySvc/Pages/Account/Logout/LogoutOptions.cs b/src/IdentitySvc/Pages/Account/Logout/LogoutOptions.cs new file mode 100644 index 0000000..7cbdd3f --- /dev/null +++ b/src/IdentitySvc/Pages/Account/Logout/LogoutOptions.cs @@ -0,0 +1,11 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + + +namespace IdentitySvc.Pages.Logout; + +public static class LogoutOptions +{ + public static readonly bool ShowLogoutPrompt = true; + public static readonly bool AutomaticRedirectAfterSignOut = false; +} diff --git a/src/IdentitySvc/Pages/Account/Register/Index.cshtml b/src/IdentitySvc/Pages/Account/Register/Index.cshtml new file mode 100644 index 0000000..85c6a29 --- /dev/null +++ b/src/IdentitySvc/Pages/Account/Register/Index.cshtml @@ -0,0 +1,64 @@ +@page +@model IdentitySvc.Pages.Register.Index + + + + + + + + +
+ + +
+
+
+
+

Register

+
+
+
+ + +
+ + +
+ +
+ + +
+ +
+ + +
+ +
+ + +
+ + + Already Regitered? Login here + + + + +
+
+ + @if (Model.RegisterSuccess) + { +
+ Successfully registered - You can now login +
+ } +
+
+
+
+ + \ No newline at end of file diff --git a/src/IdentitySvc/Pages/Account/Register/Index.cshtml.cs b/src/IdentitySvc/Pages/Account/Register/Index.cshtml.cs new file mode 100644 index 0000000..71213f1 --- /dev/null +++ b/src/IdentitySvc/Pages/Account/Register/Index.cshtml.cs @@ -0,0 +1,66 @@ +using System.Security.Claims; +using IdentityModel; +using IdentitySvc.Models; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Identity; +using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc.RazorPages; + +namespace IdentitySvc.Pages.Register; + +[SecurityHeaders] +[AllowAnonymous] + +public class Index : PageModel +{ + private readonly UserManager _userManager; + + public Index(UserManager userManager) + { + _userManager = userManager; + } + + [BindProperty] + public RegisterViewModel Input { get; set; } + [BindProperty] + public bool RegisterSuccess { get; set; } + + public IActionResult OnGet(string returnUrl) + { + Input = new RegisterViewModel + { + ReturnUrl = returnUrl, + }; + + return Page(); + } + + public async Task OnPost() + { + if (Input.Button != "register") return Redirect("~/"); + + if (ModelState.IsValid) + { + var user = new ApplicationUser + { + UserName = Input.Username, + Email = Input.Email, + EmailConfirmed = true, + }; + + var result = await _userManager.CreateAsync(user, Input.Password); + + if (result.Succeeded) + { + await _userManager.AddClaimsAsync(user, new Claim[] + { + new Claim(JwtClaimTypes.Name, Input.FullName) + }); + + RegisterSuccess = true; + } + } + + return Page(); + } +} \ No newline at end of file diff --git a/src/IdentitySvc/Pages/Account/Register/RegisterViewModel.cs b/src/IdentitySvc/Pages/Account/Register/RegisterViewModel.cs new file mode 100644 index 0000000..e172947 --- /dev/null +++ b/src/IdentitySvc/Pages/Account/Register/RegisterViewModel.cs @@ -0,0 +1,18 @@ +using System.ComponentModel.DataAnnotations; + +namespace IdentitySvc.Pages.Register; + +public class RegisterViewModel +{ + [Required] + public string Email { get; set; } + [Required] + public string Password { get; set; } + [Required] + public string Username { get; set; } + [Required] + public string FullName { get; set; } + + public string ReturnUrl { get; set; } + public string Button { get; set; } +} \ No newline at end of file diff --git a/src/IdentitySvc/Pages/Ciba/All.cshtml b/src/IdentitySvc/Pages/Ciba/All.cshtml new file mode 100644 index 0000000..775cd57 --- /dev/null +++ b/src/IdentitySvc/Pages/Ciba/All.cshtml @@ -0,0 +1,48 @@ +@page +@model IdentitySvc.Pages.Ciba.AllModel +@{ +} + +
+
+
+
+
+

Pending Backchannel Login Requests

+
+
+ @if (Model.Logins.Any()) + { + + + + + + + + + + + @foreach (var login in Model.Logins) + { + + + + + + + } + +
IdClient IdBinding Message
@login.InternalId@login.Client.ClientId@login.BindingMessage + Process +
+ } + else + { +
No Pending Login Requests
+ } +
+
+
+
+
\ No newline at end of file diff --git a/src/IdentitySvc/Pages/Ciba/All.cshtml.cs b/src/IdentitySvc/Pages/Ciba/All.cshtml.cs new file mode 100644 index 0000000..4fd3efb --- /dev/null +++ b/src/IdentitySvc/Pages/Ciba/All.cshtml.cs @@ -0,0 +1,28 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +using Duende.IdentityServer.Models; +using Duende.IdentityServer.Services; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc.RazorPages; + +namespace IdentitySvc.Pages.Ciba; + +[SecurityHeaders] +[Authorize] +public class AllModel : PageModel +{ + public IEnumerable Logins { get; set; } = default!; + + private readonly IBackchannelAuthenticationInteractionService _backchannelAuthenticationInteraction; + + public AllModel(IBackchannelAuthenticationInteractionService backchannelAuthenticationInteractionService) + { + _backchannelAuthenticationInteraction = backchannelAuthenticationInteractionService; + } + + public async Task OnGet() + { + Logins = await _backchannelAuthenticationInteraction.GetPendingLoginRequestsForCurrentUserAsync(); + } +} \ No newline at end of file diff --git a/src/IdentitySvc/Pages/Ciba/Consent.cshtml b/src/IdentitySvc/Pages/Ciba/Consent.cshtml new file mode 100644 index 0000000..da3620c --- /dev/null +++ b/src/IdentitySvc/Pages/Ciba/Consent.cshtml @@ -0,0 +1,98 @@ +@page +@model IdentitySvc.Pages.Ciba.Consent +@{ +} + +
+
+ @if (Model.View.ClientLogoUrl != null) + { + + } +

+ @Model.View.ClientName + is requesting your permission +

+ +

Verify that this identifier matches what the client is displaying: @Model.View.BindingMessage

+ +

Uncheck the permissions you do not wish to grant.

+
+ +
+
+ +
+
+ +
+ +
+
+ @if (Model.View.IdentityScopes.Any()) + { +
+
+
+ + Personal Information +
+
    + @foreach (var scope in Model.View.IdentityScopes) + { + + } +
+
+
+ } + + @if (Model.View.ApiScopes.Any()) + { +
+
+
+ + Application Access +
+
    + @foreach (var scope in Model.View.ApiScopes) + { + + } +
+
+
+ } + +
+
+
+ + Description +
+
+ +
+
+
+
+
+ +
+
+ + +
+
+ @if (Model.View.ClientUrl != null) + { + + + @Model.View.ClientName + + } +
+
+
+
diff --git a/src/IdentitySvc/Pages/Ciba/Consent.cshtml.cs b/src/IdentitySvc/Pages/Ciba/Consent.cshtml.cs new file mode 100644 index 0000000..e2e4fcc --- /dev/null +++ b/src/IdentitySvc/Pages/Ciba/Consent.cshtml.cs @@ -0,0 +1,228 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +using Duende.IdentityServer.Events; +using Duende.IdentityServer.Extensions; +using Duende.IdentityServer.Models; +using Duende.IdentityServer.Services; +using Duende.IdentityServer.Validation; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc.RazorPages; + +namespace IdentitySvc.Pages.Ciba; + +[Authorize] +[SecurityHeaders] +public class Consent : PageModel +{ + private readonly IBackchannelAuthenticationInteractionService _interaction; + private readonly IEventService _events; + private readonly ILogger _logger; + + public Consent( + IBackchannelAuthenticationInteractionService interaction, + IEventService events, + ILogger logger) + { + _interaction = interaction; + _events = events; + _logger = logger; + } + + public ViewModel View { get; set; } = default!; + + [BindProperty] + public InputModel Input { get; set; } = default!; + + public async Task OnGet(string? id) + { + if (!await SetViewModelAsync(id)) + { + return RedirectToPage("/Home/Error/Index"); + } + + Input = new InputModel + { + Id = id + }; + + return Page(); + } + + public async Task OnPost() + { + // validate return url is still valid + var request = await _interaction.GetLoginRequestByInternalIdAsync(Input.Id ?? throw new ArgumentNullException(nameof(Input.Id))); + if (request == null || request.Subject.GetSubjectId() != User.GetSubjectId()) + { + _logger.InvalidId(Input.Id); + return RedirectToPage("/Home/Error/Index"); + } + + CompleteBackchannelLoginRequest? result = null; + + // user clicked 'no' - send back the standard 'access_denied' response + if (Input.Button == "no") + { + result = new CompleteBackchannelLoginRequest(Input.Id); + + // emit event + await _events.RaiseAsync(new ConsentDeniedEvent(User.GetSubjectId(), request.Client.ClientId, request.ValidatedResources.RawScopeValues)); + Telemetry.Metrics.ConsentDenied(request.Client.ClientId, request.ValidatedResources.ParsedScopes.Select(s => s.ParsedName)); + } + // user clicked 'yes' - validate the data + else if (Input.Button == "yes") + { + // if the user consented to some scope, build the response model + if (Input.ScopesConsented.Any()) + { + var scopes = Input.ScopesConsented; + if (ConsentOptions.EnableOfflineAccess == false) + { + scopes = scopes.Where(x => x != Duende.IdentityServer.IdentityServerConstants.StandardScopes.OfflineAccess); + } + + result = new CompleteBackchannelLoginRequest(Input.Id) + { + ScopesValuesConsented = scopes.ToArray(), + Description = Input.Description + }; + + // emit event + await _events.RaiseAsync(new ConsentGrantedEvent(User.GetSubjectId(), request.Client.ClientId, request.ValidatedResources.RawScopeValues, result.ScopesValuesConsented, false)); + Telemetry.Metrics.ConsentGranted(request.Client.ClientId, result.ScopesValuesConsented, false); + var denied = request.ValidatedResources.ParsedScopes.Select(s => s.ParsedName).Except(result.ScopesValuesConsented); + Telemetry.Metrics.ConsentDenied(request.Client.ClientId, denied); + } + else + { + ModelState.AddModelError("", ConsentOptions.MustChooseOneErrorMessage); + } + } + else + { + ModelState.AddModelError("", ConsentOptions.InvalidSelectionErrorMessage); + } + + if (result != null) + { + // communicate outcome of consent back to identityserver + await _interaction.CompleteLoginRequestAsync(result); + + return RedirectToPage("/Ciba/All"); + } + + // we need to redisplay the consent UI + if (!await SetViewModelAsync(Input.Id)) + { + return RedirectToPage("/Home/Error/Index"); + } + return Page(); + } + + private async Task SetViewModelAsync(string? id) + { + ArgumentNullException.ThrowIfNull(id); + + var request = await _interaction.GetLoginRequestByInternalIdAsync(id); + if (request != null && request.Subject.GetSubjectId() == User.GetSubjectId()) + { + View = CreateConsentViewModel(request); + return true; + } + else + { + _logger.NoMatchingBackchannelLoginRequest(id); + return false; + } + } + + private ViewModel CreateConsentViewModel(BackchannelUserLoginRequest request) + { + var vm = new ViewModel + { + ClientName = request.Client.ClientName ?? request.Client.ClientId, + ClientUrl = request.Client.ClientUri, + ClientLogoUrl = request.Client.LogoUri, + BindingMessage = request.BindingMessage + }; + + vm.IdentityScopes = request.ValidatedResources.Resources.IdentityResources + .Select(x => CreateScopeViewModel(x, Input == null || Input.ScopesConsented.Contains(x.Name))) + .ToArray(); + + var resourceIndicators = request.RequestedResourceIndicators ?? Enumerable.Empty(); + var apiResources = request.ValidatedResources.Resources.ApiResources.Where(x => resourceIndicators.Contains(x.Name)); + + var apiScopes = new List(); + foreach (var parsedScope in request.ValidatedResources.ParsedScopes) + { + var apiScope = request.ValidatedResources.Resources.FindApiScope(parsedScope.ParsedName); + if (apiScope != null) + { + var scopeVm = CreateScopeViewModel(parsedScope, apiScope, Input == null || Input.ScopesConsented.Contains(parsedScope.RawValue)); + scopeVm.Resources = apiResources.Where(x => x.Scopes.Contains(parsedScope.ParsedName)) + .Select(x => new ResourceViewModel + { + Name = x.Name, + DisplayName = x.DisplayName ?? x.Name, + }).ToArray(); + apiScopes.Add(scopeVm); + } + } + if (ConsentOptions.EnableOfflineAccess && request.ValidatedResources.Resources.OfflineAccess) + { + apiScopes.Add(GetOfflineAccessScope(Input == null || Input.ScopesConsented.Contains(Duende.IdentityServer.IdentityServerConstants.StandardScopes.OfflineAccess))); + } + vm.ApiScopes = apiScopes; + + return vm; + } + + private static ScopeViewModel CreateScopeViewModel(IdentityResource identity, bool check) + { + return new ScopeViewModel + { + Name = identity.Name, + Value = identity.Name, + DisplayName = identity.DisplayName ?? identity.Name, + Description = identity.Description, + Emphasize = identity.Emphasize, + Required = identity.Required, + Checked = check || identity.Required + }; + } + + private static ScopeViewModel CreateScopeViewModel(ParsedScopeValue parsedScopeValue, ApiScope apiScope, bool check) + { + var displayName = apiScope.DisplayName ?? apiScope.Name; + if (!String.IsNullOrWhiteSpace(parsedScopeValue.ParsedParameter)) + { + displayName += ":" + parsedScopeValue.ParsedParameter; + } + + return new ScopeViewModel + { + Name = parsedScopeValue.ParsedName, + Value = parsedScopeValue.RawValue, + DisplayName = displayName, + Description = apiScope.Description, + Emphasize = apiScope.Emphasize, + Required = apiScope.Required, + Checked = check || apiScope.Required + }; + } + + private static ScopeViewModel GetOfflineAccessScope(bool check) + { + return new ScopeViewModel + { + Value = Duende.IdentityServer.IdentityServerConstants.StandardScopes.OfflineAccess, + DisplayName = ConsentOptions.OfflineAccessDisplayName, + Description = ConsentOptions.OfflineAccessDescription, + Emphasize = true, + Checked = check + }; + } +} diff --git a/src/IdentitySvc/Pages/Ciba/ConsentOptions.cs b/src/IdentitySvc/Pages/Ciba/ConsentOptions.cs new file mode 100644 index 0000000..f6886e7 --- /dev/null +++ b/src/IdentitySvc/Pages/Ciba/ConsentOptions.cs @@ -0,0 +1,14 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +namespace IdentitySvc.Pages.Ciba; + +public static class ConsentOptions +{ + public static readonly bool EnableOfflineAccess = true; + public static readonly string OfflineAccessDisplayName = "Offline Access"; + public static readonly string OfflineAccessDescription = "Access to your applications and resources, even when you are offline"; + + public static readonly string MustChooseOneErrorMessage = "You must pick at least one permission"; + public static readonly string InvalidSelectionErrorMessage = "Invalid selection"; +} \ No newline at end of file diff --git a/src/IdentitySvc/Pages/Ciba/Index.cshtml b/src/IdentitySvc/Pages/Ciba/Index.cshtml new file mode 100644 index 0000000..485e5dc --- /dev/null +++ b/src/IdentitySvc/Pages/Ciba/Index.cshtml @@ -0,0 +1,30 @@ +@page +@model IdentitySvc.Pages.Ciba.IndexModel +@{ +} + +
+
+ @if (Model.LoginRequest.Client.LogoUri != null) + { + + } +

+ @Model.LoginRequest.Client.ClientName + is requesting your permission +

+ +

+ Verify that this identifier matches what the client is displaying: + @Model.LoginRequest.BindingMessage +

+ +

+ Do you wish to continue? +

+ + +
+
diff --git a/src/IdentitySvc/Pages/Ciba/Index.cshtml.cs b/src/IdentitySvc/Pages/Ciba/Index.cshtml.cs new file mode 100644 index 0000000..c9ffe43 --- /dev/null +++ b/src/IdentitySvc/Pages/Ciba/Index.cshtml.cs @@ -0,0 +1,42 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +using Duende.IdentityServer.Models; +using Duende.IdentityServer.Services; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc.RazorPages; + +namespace IdentitySvc.Pages.Ciba; + +[AllowAnonymous] +[SecurityHeaders] +public class IndexModel : PageModel +{ + public BackchannelUserLoginRequest LoginRequest { get; set; } = default!; + + private readonly IBackchannelAuthenticationInteractionService _backchannelAuthenticationInteraction; + private readonly ILogger _logger; + + public IndexModel(IBackchannelAuthenticationInteractionService backchannelAuthenticationInteractionService, ILogger logger) + { + _backchannelAuthenticationInteraction = backchannelAuthenticationInteractionService; + _logger = logger; + } + + public async Task OnGet(string id) + { + var result = await _backchannelAuthenticationInteraction.GetLoginRequestByInternalIdAsync(id); + if (result == null) + { + _logger.InvalidBackchannelLoginId(id); + return RedirectToPage("/Home/Error/Index"); + } + else + { + LoginRequest = result; + } + + return Page(); + } +} \ No newline at end of file diff --git a/src/IdentitySvc/Pages/Ciba/InputModel.cs b/src/IdentitySvc/Pages/Ciba/InputModel.cs new file mode 100644 index 0000000..6a25a10 --- /dev/null +++ b/src/IdentitySvc/Pages/Ciba/InputModel.cs @@ -0,0 +1,12 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +namespace IdentitySvc.Pages.Ciba; + +public class InputModel +{ + public string? Button { get; set; } + public IEnumerable ScopesConsented { get; set; } = new List(); + public string? Id { get; set; } + public string? Description { get; set; } +} \ No newline at end of file diff --git a/src/IdentitySvc/Pages/Ciba/ViewModel.cs b/src/IdentitySvc/Pages/Ciba/ViewModel.cs new file mode 100644 index 0000000..c96faa3 --- /dev/null +++ b/src/IdentitySvc/Pages/Ciba/ViewModel.cs @@ -0,0 +1,34 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +namespace IdentitySvc.Pages.Ciba; + +public class ViewModel +{ + public string? ClientName { get; set; } + public string? ClientUrl { get; set; } + public string? ClientLogoUrl { get; set; } + + public string? BindingMessage { get; set; } + + public IEnumerable IdentityScopes { get; set; } = Enumerable.Empty(); + public IEnumerable ApiScopes { get; set; } = Enumerable.Empty(); +} + +public class ScopeViewModel +{ + public string? Name { get; set; } + public string? Value { get; set; } + public string? DisplayName { get; set; } + public string? Description { get; set; } + public bool Emphasize { get; set; } + public bool Required { get; set; } + public bool Checked { get; set; } + public IEnumerable Resources { get; set; } = Enumerable.Empty(); +} + +public class ResourceViewModel +{ + public string? Name { get; set; } + public string? DisplayName { get; set; } +} \ No newline at end of file diff --git a/src/IdentitySvc/Pages/Ciba/_ScopeListItem.cshtml b/src/IdentitySvc/Pages/Ciba/_ScopeListItem.cshtml new file mode 100644 index 0000000..4ed96b8 --- /dev/null +++ b/src/IdentitySvc/Pages/Ciba/_ScopeListItem.cshtml @@ -0,0 +1,47 @@ +@using IdentitySvc.Pages.Ciba +@model ScopeViewModel + +
  • + + @if (Model.Required) + { + (required) + } + @if (Model.Description != null) + { +
    + +
    + } + @if (Model.Resources?.Any() == true) + { +
    + +
      + @foreach (var resource in Model.Resources) + { +
    • @resource.DisplayName
      • + } +
    +
    + } +
    • \ No newline at end of file diff --git a/src/IdentitySvc/Pages/Consent/ConsentOptions.cs b/src/IdentitySvc/Pages/Consent/ConsentOptions.cs new file mode 100644 index 0000000..4916fbb --- /dev/null +++ b/src/IdentitySvc/Pages/Consent/ConsentOptions.cs @@ -0,0 +1,14 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +namespace IdentitySvc.Pages.Consent; + +public static class ConsentOptions +{ + public static readonly bool EnableOfflineAccess = true; + public static readonly string OfflineAccessDisplayName = "Offline Access"; + public static readonly string OfflineAccessDescription = "Access to your applications and resources, even when you are offline"; + + public static readonly string MustChooseOneErrorMessage = "You must pick at least one permission"; + public static readonly string InvalidSelectionErrorMessage = "Invalid selection"; +} \ No newline at end of file diff --git a/src/IdentitySvc/Pages/Consent/Index.cshtml b/src/IdentitySvc/Pages/Consent/Index.cshtml new file mode 100644 index 0000000..eec803a --- /dev/null +++ b/src/IdentitySvc/Pages/Consent/Index.cshtml @@ -0,0 +1,107 @@ +@page +@model IdentitySvc.Pages.Consent.Index +@{ +} + +
    +
    + @if (Model.View.ClientLogoUrl != null) + { + + } +

    + @Model.View.ClientName + is requesting your permission +

    +

    Uncheck the permissions you do not wish to grant.

    +
    + +
    +
    + +
    +
    + +
    + +
    +
    + @if (Model.View.IdentityScopes.Any()) + { +
    +
    +
    + + Personal Information +
    +
      + @foreach (var scope in Model.View.IdentityScopes) + { + + } +
    +
    +
    + } + + @if (Model.View.ApiScopes.Any()) + { +
    +
    +
    + + Application Access +
    +
      + @foreach (var scope in Model.View.ApiScopes) + { + + } +
    +
    +
    + } + +
    +
    +
    + + Description +
    +
    + +
    +
    +
    + + @if (Model.View.AllowRememberConsent) + { +
    +
    + + +
    +
    + } +
    +
    + +
    +
    + + +
    +
    + @if (Model.View.ClientUrl != null) + { + + + @Model.View.ClientName + + } +
    +
    +
    +
    diff --git a/src/IdentitySvc/Pages/Consent/Index.cshtml.cs b/src/IdentitySvc/Pages/Consent/Index.cshtml.cs new file mode 100644 index 0000000..b649910 --- /dev/null +++ b/src/IdentitySvc/Pages/Consent/Index.cshtml.cs @@ -0,0 +1,236 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +using Duende.IdentityServer.Events; +using Duende.IdentityServer.Extensions; +using Duende.IdentityServer.Models; +using Duende.IdentityServer.Services; +using Duende.IdentityServer.Validation; +using IdentityModel; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc.RazorPages; + +namespace IdentitySvc.Pages.Consent; + +[Authorize] +[SecurityHeaders] +public class Index : PageModel +{ + private readonly IIdentityServerInteractionService _interaction; + private readonly IEventService _events; + private readonly ILogger _logger; + + public Index( + IIdentityServerInteractionService interaction, + IEventService events, + ILogger logger) + { + _interaction = interaction; + _events = events; + _logger = logger; + } + + public ViewModel View { get; set; } = default!; + + [BindProperty] + public InputModel Input { get; set; } = default!; + + public async Task OnGet(string? returnUrl) + { + if (!await SetViewModelAsync(returnUrl)) + { + return RedirectToPage("/Home/Error/Index"); + } + + Input = new InputModel + { + ReturnUrl = returnUrl, + }; + + return Page(); + } + + public async Task OnPost() + { + // validate return url is still valid + var request = await _interaction.GetAuthorizationContextAsync(Input.ReturnUrl); + if (request == null) return RedirectToPage("/Home/Error/Index"); + + ConsentResponse? grantedConsent = null; + + // user clicked 'no' - send back the standard 'access_denied' response + if (Input.Button == "no") + { + grantedConsent = new ConsentResponse { Error = AuthorizationError.AccessDenied }; + + // emit event + await _events.RaiseAsync(new ConsentDeniedEvent(User.GetSubjectId(), request.Client.ClientId, request.ValidatedResources.RawScopeValues)); + Telemetry.Metrics.ConsentDenied(request.Client.ClientId, request.ValidatedResources.ParsedScopes.Select(s => s.ParsedName)); + } + // user clicked 'yes' - validate the data + else if (Input.Button == "yes") + { + // if the user consented to some scope, build the response model + if (Input.ScopesConsented.Any()) + { + var scopes = Input.ScopesConsented; + if (ConsentOptions.EnableOfflineAccess == false) + { + scopes = scopes.Where(x => x != Duende.IdentityServer.IdentityServerConstants.StandardScopes.OfflineAccess); + } + + grantedConsent = new ConsentResponse + { + RememberConsent = Input.RememberConsent, + ScopesValuesConsented = scopes.ToArray(), + Description = Input.Description + }; + + // emit event + await _events.RaiseAsync(new ConsentGrantedEvent(User.GetSubjectId(), request.Client.ClientId, request.ValidatedResources.RawScopeValues, grantedConsent.ScopesValuesConsented, grantedConsent.RememberConsent)); + Telemetry.Metrics.ConsentGranted(request.Client.ClientId, grantedConsent.ScopesValuesConsented, grantedConsent.RememberConsent); + var denied = request.ValidatedResources.ParsedScopes.Select(s => s.ParsedName).Except(grantedConsent.ScopesValuesConsented); + Telemetry.Metrics.ConsentDenied(request.Client.ClientId, denied); + } + else + { + ModelState.AddModelError("", ConsentOptions.MustChooseOneErrorMessage); + } + } + else + { + ModelState.AddModelError("", ConsentOptions.InvalidSelectionErrorMessage); + } + + if (grantedConsent != null) + { + ArgumentNullException.ThrowIfNull(Input.ReturnUrl, nameof(Input.ReturnUrl)); + + // communicate outcome of consent back to identityserver + await _interaction.GrantConsentAsync(request, grantedConsent); + + // redirect back to authorization endpoint + if (request.IsNativeClient() == true) + { + // The client is native, so this change in how to + // return the response is for better UX for the end user. + return this.LoadingPage(Input.ReturnUrl); + } + + return Redirect(Input.ReturnUrl); + } + + // we need to redisplay the consent UI + if (!await SetViewModelAsync(Input.ReturnUrl)) + { + return RedirectToPage("/Home/Error/Index"); + } + return Page(); + } + + private async Task SetViewModelAsync(string? returnUrl) + { + ArgumentNullException.ThrowIfNull(returnUrl); + + var request = await _interaction.GetAuthorizationContextAsync(returnUrl); + if (request != null) + { + View = CreateConsentViewModel(request); + return true; + } + else + { + _logger.NoConsentMatchingRequest(returnUrl); + return false; + } + } + + private ViewModel CreateConsentViewModel(AuthorizationRequest request) + { + var vm = new ViewModel + { + ClientName = request.Client.ClientName ?? request.Client.ClientId, + ClientUrl = request.Client.ClientUri, + ClientLogoUrl = request.Client.LogoUri, + AllowRememberConsent = request.Client.AllowRememberConsent + }; + + vm.IdentityScopes = request.ValidatedResources.Resources.IdentityResources + .Select(x => CreateScopeViewModel(x, Input == null || Input.ScopesConsented.Contains(x.Name))) + .ToArray(); + + var resourceIndicators = request.Parameters.GetValues(OidcConstants.AuthorizeRequest.Resource) ?? Enumerable.Empty(); + var apiResources = request.ValidatedResources.Resources.ApiResources.Where(x => resourceIndicators.Contains(x.Name)); + + var apiScopes = new List(); + foreach (var parsedScope in request.ValidatedResources.ParsedScopes) + { + var apiScope = request.ValidatedResources.Resources.FindApiScope(parsedScope.ParsedName); + if (apiScope != null) + { + var scopeVm = CreateScopeViewModel(parsedScope, apiScope, Input == null || Input.ScopesConsented.Contains(parsedScope.RawValue)); + scopeVm.Resources = apiResources.Where(x => x.Scopes.Contains(parsedScope.ParsedName)) + .Select(x => new ResourceViewModel + { + Name = x.Name, + DisplayName = x.DisplayName ?? x.Name, + }).ToArray(); + apiScopes.Add(scopeVm); + } + } + if (ConsentOptions.EnableOfflineAccess && request.ValidatedResources.Resources.OfflineAccess) + { + apiScopes.Add(CreateOfflineAccessScope(Input == null || Input.ScopesConsented.Contains(Duende.IdentityServer.IdentityServerConstants.StandardScopes.OfflineAccess))); + } + vm.ApiScopes = apiScopes; + + return vm; + } + + private static ScopeViewModel CreateScopeViewModel(IdentityResource identity, bool check) + { + return new ScopeViewModel + { + Name = identity.Name, + Value = identity.Name, + DisplayName = identity.DisplayName ?? identity.Name, + Description = identity.Description, + Emphasize = identity.Emphasize, + Required = identity.Required, + Checked = check || identity.Required + }; + } + + private static ScopeViewModel CreateScopeViewModel(ParsedScopeValue parsedScopeValue, ApiScope apiScope, bool check) + { + var displayName = apiScope.DisplayName ?? apiScope.Name; + if (!String.IsNullOrWhiteSpace(parsedScopeValue.ParsedParameter)) + { + displayName += ":" + parsedScopeValue.ParsedParameter; + } + + return new ScopeViewModel + { + Name = parsedScopeValue.ParsedName, + Value = parsedScopeValue.RawValue, + DisplayName = displayName, + Description = apiScope.Description, + Emphasize = apiScope.Emphasize, + Required = apiScope.Required, + Checked = check || apiScope.Required + }; + } + + private static ScopeViewModel CreateOfflineAccessScope(bool check) + { + return new ScopeViewModel + { + Value = Duende.IdentityServer.IdentityServerConstants.StandardScopes.OfflineAccess, + DisplayName = ConsentOptions.OfflineAccessDisplayName, + Description = ConsentOptions.OfflineAccessDescription, + Emphasize = true, + Checked = check + }; + } +} diff --git a/src/IdentitySvc/Pages/Consent/InputModel.cs b/src/IdentitySvc/Pages/Consent/InputModel.cs new file mode 100644 index 0000000..d9a49d6 --- /dev/null +++ b/src/IdentitySvc/Pages/Consent/InputModel.cs @@ -0,0 +1,13 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +namespace IdentitySvc.Pages.Consent; + +public class InputModel +{ + public string? Button { get; set; } + public IEnumerable ScopesConsented { get; set; } = new List(); + public bool RememberConsent { get; set; } = true; + public string? ReturnUrl { get; set; } + public string? Description { get; set; } +} \ No newline at end of file diff --git a/src/IdentitySvc/Pages/Consent/ViewModel.cs b/src/IdentitySvc/Pages/Consent/ViewModel.cs new file mode 100644 index 0000000..88b3491 --- /dev/null +++ b/src/IdentitySvc/Pages/Consent/ViewModel.cs @@ -0,0 +1,33 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +namespace IdentitySvc.Pages.Consent; + +public class ViewModel +{ + public string? ClientName { get; set; } + public string? ClientUrl { get; set; } + public string? ClientLogoUrl { get; set; } + public bool AllowRememberConsent { get; set; } + + public IEnumerable IdentityScopes { get; set; } = Enumerable.Empty(); + public IEnumerable ApiScopes { get; set; } = Enumerable.Empty(); +} + +public class ScopeViewModel +{ + public string? Name { get; set; } + public string? Value { get; set; } + public string? DisplayName { get; set; } + public string? Description { get; set; } + public bool Emphasize { get; set; } + public bool Required { get; set; } + public bool Checked { get; set; } + public IEnumerable Resources { get; set; } = Enumerable.Empty(); +} + +public class ResourceViewModel +{ + public string? Name { get; set; } + public string? DisplayName { get; set; } +} \ No newline at end of file diff --git a/src/IdentitySvc/Pages/Consent/_ScopeListItem.cshtml b/src/IdentitySvc/Pages/Consent/_ScopeListItem.cshtml new file mode 100644 index 0000000..8fc4547 --- /dev/null +++ b/src/IdentitySvc/Pages/Consent/_ScopeListItem.cshtml @@ -0,0 +1,47 @@ +@using IdentitySvc.Pages.Consent +@model ScopeViewModel + +
  • + + @if (Model.Required) + { + (required) + } + @if (Model.Description != null) + { +
    + +
    + } + @if (Model.Resources?.Any() == true) + { +
    + +
      + @foreach (var resource in Model.Resources) + { +
    • @resource.DisplayName
      • + } +
    +
    + } +
    • \ No newline at end of file diff --git a/src/IdentitySvc/Pages/Device/DeviceOptions.cs b/src/IdentitySvc/Pages/Device/DeviceOptions.cs new file mode 100644 index 0000000..2a70255 --- /dev/null +++ b/src/IdentitySvc/Pages/Device/DeviceOptions.cs @@ -0,0 +1,15 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +namespace IdentitySvc.Pages.Device; + +public static class DeviceOptions +{ + public static readonly bool EnableOfflineAccess = true; + public static readonly string OfflineAccessDisplayName = "Offline Access"; + public static readonly string OfflineAccessDescription = "Access to your applications and resources, even when you are offline"; + + public static readonly string InvalidUserCode = "Invalid user code"; + public static readonly string MustChooseOneErrorMessage = "You must pick at least one permission"; + public static readonly string InvalidSelectionErrorMessage = "Invalid selection"; +} \ No newline at end of file diff --git a/src/IdentitySvc/Pages/Device/Index.cshtml b/src/IdentitySvc/Pages/Device/Index.cshtml new file mode 100644 index 0000000..9c2adbd --- /dev/null +++ b/src/IdentitySvc/Pages/Device/Index.cshtml @@ -0,0 +1,141 @@ +@page +@model IdentitySvc.Pages.Device.Index +@{ +} + +@if (Model.Input.UserCode == null) +{ + @*We need to collect the user code*@ +
    +
    +

    User Code

    +

    Please enter the code displayed on your device.

    +
    + +
    +
    + +
    +
    + +
    +
    +
    +
    + + +
    + + +
    +
    +
    +
    +} +else +{ + @*collect consent for the user code provided*@ +
    +
    + @if (Model.View.ClientLogoUrl != null) + { + + } +

    + @Model.View.ClientName + is requesting your permission +

    +

    Please confirm that the authorization request matches the code: @Model.Input.UserCode.

    +

    Uncheck the permissions you do not wish to grant.

    +
    + +
    +
    + +
    +
    + +
    + +
    +
    + @if (Model.View.IdentityScopes.Any()) + { +
    +
    +
    + + Personal Information +
    +
      + @foreach (var scope in Model.View.IdentityScopes) + { + + } +
    +
    +
    + } + + @if (Model.View.ApiScopes.Any()) + { +
    +
    +
    + + Application Access +
    +
      + @foreach (var scope in Model.View.ApiScopes) + { + + } +
    +
    +
    + } + +
    +
    +
    + + Description +
    +
    + +
    +
    +
    + + @if (Model.View.AllowRememberConsent) + { +
    +
    + + +
    +
    + } +
    +
    + +
    +
    + + +
    +
    + @if (Model.View.ClientUrl != null) + { + + + @Model.View.ClientName + + } +
    +
    +
    +
    +} diff --git a/src/IdentitySvc/Pages/Device/Index.cshtml.cs b/src/IdentitySvc/Pages/Device/Index.cshtml.cs new file mode 100644 index 0000000..81ca290 --- /dev/null +++ b/src/IdentitySvc/Pages/Device/Index.cshtml.cs @@ -0,0 +1,220 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +using Duende.IdentityServer.Configuration; +using Duende.IdentityServer.Events; +using Duende.IdentityServer.Extensions; +using Duende.IdentityServer.Models; +using Duende.IdentityServer.Services; +using Duende.IdentityServer.Validation; +using IdentitySvc.Pages.Consent; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc.RazorPages; +using Microsoft.Extensions.Options; + +namespace IdentitySvc.Pages.Device; + +[SecurityHeaders] +[Authorize] +public class Index : PageModel +{ + private readonly IDeviceFlowInteractionService _interaction; + private readonly IEventService _events; + private readonly IOptions _options; + private readonly ILogger _logger; + + public Index( + IDeviceFlowInteractionService interaction, + IEventService eventService, + IOptions options, + ILogger logger) + { + _interaction = interaction; + _events = eventService; + _options = options; + _logger = logger; + } + + public ViewModel View { get; set; } = default!; + + [BindProperty] + public InputModel Input { get; set; } = default!; + + public async Task OnGet(string? userCode) + { + if (String.IsNullOrWhiteSpace(userCode)) + { + return Page(); + } + + if (!await SetViewModelAsync(userCode)) + { + ModelState.AddModelError("", DeviceOptions.InvalidUserCode); + return Page(); + } + + Input = new InputModel { + UserCode = userCode, + }; + + return Page(); + } + + public async Task OnPost() + { + var request = await _interaction.GetAuthorizationContextAsync(Input.UserCode ?? throw new ArgumentNullException(nameof(Input.UserCode))); + if (request == null) return RedirectToPage("/Home/Error/Index"); + + ConsentResponse? grantedConsent = null; + + // user clicked 'no' - send back the standard 'access_denied' response + if (Input.Button == "no") + { + grantedConsent = new ConsentResponse + { + Error = AuthorizationError.AccessDenied + }; + + // emit event + await _events.RaiseAsync(new ConsentDeniedEvent(User.GetSubjectId(), request.Client.ClientId, request.ValidatedResources.RawScopeValues)); + Telemetry.Metrics.ConsentDenied(request.Client.ClientId, request.ValidatedResources.ParsedScopes.Select(s => s.ParsedName)); + } + // user clicked 'yes' - validate the data + else if (Input.Button == "yes") + { + // if the user consented to some scope, build the response model + if (Input.ScopesConsented.Any()) + { + var scopes = Input.ScopesConsented; + if (ConsentOptions.EnableOfflineAccess == false) + { + scopes = scopes.Where(x => x != Duende.IdentityServer.IdentityServerConstants.StandardScopes.OfflineAccess); + } + + grantedConsent = new ConsentResponse + { + RememberConsent = Input.RememberConsent, + ScopesValuesConsented = scopes.ToArray(), + Description = Input.Description + }; + + // emit event + await _events.RaiseAsync(new ConsentGrantedEvent(User.GetSubjectId(), request.Client.ClientId, request.ValidatedResources.RawScopeValues, grantedConsent.ScopesValuesConsented, grantedConsent.RememberConsent)); + Telemetry.Metrics.ConsentGranted(request.Client.ClientId, grantedConsent.ScopesValuesConsented, grantedConsent.RememberConsent); + var denied = request.ValidatedResources.ParsedScopes.Select(s => s.ParsedName).Except(grantedConsent.ScopesValuesConsented); + Telemetry.Metrics.ConsentDenied(request.Client.ClientId, denied); + } + else + { + ModelState.AddModelError("", ConsentOptions.MustChooseOneErrorMessage); + } + } + else + { + ModelState.AddModelError("", ConsentOptions.InvalidSelectionErrorMessage); + } + + if (grantedConsent != null) + { + // communicate outcome of consent back to identityserver + await _interaction.HandleRequestAsync(Input.UserCode, grantedConsent); + + // indicate that's it ok to redirect back to authorization endpoint + return RedirectToPage("/Device/Success"); + } + + // we need to redisplay the consent UI + if (!await SetViewModelAsync(Input.UserCode)) + { + return RedirectToPage("/Home/Error/Index"); + } + return Page(); + } + + + private async Task SetViewModelAsync(string userCode) + { + var request = await _interaction.GetAuthorizationContextAsync(userCode); + if (request != null) + { + View = CreateConsentViewModel(request); + return true; + } + else + { + View = new ViewModel(); + return false; + } + } + + private ViewModel CreateConsentViewModel(DeviceFlowAuthorizationRequest request) + { + var vm = new ViewModel + { + ClientName = request.Client.ClientName ?? request.Client.ClientId, + ClientUrl = request.Client.ClientUri, + ClientLogoUrl = request.Client.LogoUri, + AllowRememberConsent = request.Client.AllowRememberConsent + }; + + vm.IdentityScopes = request.ValidatedResources.Resources.IdentityResources.Select(x => CreateScopeViewModel(x, Input == null || Input.ScopesConsented.Contains(x.Name))).ToArray(); + + var apiScopes = new List(); + foreach (var parsedScope in request.ValidatedResources.ParsedScopes) + { + var apiScope = request.ValidatedResources.Resources.FindApiScope(parsedScope.ParsedName); + if (apiScope != null) + { + var scopeVm = CreateScopeViewModel(parsedScope, apiScope, Input == null || Input.ScopesConsented.Contains(parsedScope.RawValue)); + apiScopes.Add(scopeVm); + } + } + if (DeviceOptions.EnableOfflineAccess && request.ValidatedResources.Resources.OfflineAccess) + { + apiScopes.Add(GetOfflineAccessScope(Input == null || Input.ScopesConsented.Contains(Duende.IdentityServer.IdentityServerConstants.StandardScopes.OfflineAccess))); + } + vm.ApiScopes = apiScopes; + + return vm; + } + + private static ScopeViewModel CreateScopeViewModel(IdentityResource identity, bool check) + { + return new ScopeViewModel + { + Value = identity.Name, + DisplayName = identity.DisplayName ?? identity.Name, + Description = identity.Description, + Emphasize = identity.Emphasize, + Required = identity.Required, + Checked = check || identity.Required + }; + } + + private static ScopeViewModel CreateScopeViewModel(ParsedScopeValue parsedScopeValue, ApiScope apiScope, bool check) + { + return new ScopeViewModel + { + Value = parsedScopeValue.RawValue, + // todo: use the parsed scope value in the display? + DisplayName = apiScope.DisplayName ?? apiScope.Name, + Description = apiScope.Description, + Emphasize = apiScope.Emphasize, + Required = apiScope.Required, + Checked = check || apiScope.Required + }; + } + + private static ScopeViewModel GetOfflineAccessScope(bool check) + { + return new ScopeViewModel + { + Value = Duende.IdentityServer.IdentityServerConstants.StandardScopes.OfflineAccess, + DisplayName = DeviceOptions.OfflineAccessDisplayName, + Description = DeviceOptions.OfflineAccessDescription, + Emphasize = true, + Checked = check + }; + } +} diff --git a/src/IdentitySvc/Pages/Device/InputModel.cs b/src/IdentitySvc/Pages/Device/InputModel.cs new file mode 100644 index 0000000..4923ef9 --- /dev/null +++ b/src/IdentitySvc/Pages/Device/InputModel.cs @@ -0,0 +1,14 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +namespace IdentitySvc.Pages.Device; + +public class InputModel +{ + public string? Button { get; set; } + public IEnumerable ScopesConsented { get; set; } = new List(); + public bool RememberConsent { get; set; } = true; + public string? ReturnUrl { get; set; } + public string? Description { get; set; } + public string? UserCode { get; set; } +} diff --git a/src/IdentitySvc/Pages/Device/Success.cshtml b/src/IdentitySvc/Pages/Device/Success.cshtml new file mode 100644 index 0000000..d861d3d --- /dev/null +++ b/src/IdentitySvc/Pages/Device/Success.cshtml @@ -0,0 +1,12 @@ +@page +@model IdentitySvc.Pages.Device.SuccessModel +@{ +} + + +
    +
    +

    Success

    +

    You have successfully authorized the device

    +
    +
    diff --git a/src/IdentitySvc/Pages/Device/Success.cshtml.cs b/src/IdentitySvc/Pages/Device/Success.cshtml.cs new file mode 100644 index 0000000..5cefd21 --- /dev/null +++ b/src/IdentitySvc/Pages/Device/Success.cshtml.cs @@ -0,0 +1,16 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc.RazorPages; + +namespace IdentitySvc.Pages.Device; + +[SecurityHeaders] +[Authorize] +public class SuccessModel : PageModel +{ + public void OnGet() + { + } +} diff --git a/src/IdentitySvc/Pages/Device/ViewModel.cs b/src/IdentitySvc/Pages/Device/ViewModel.cs new file mode 100644 index 0000000..bd2e5f2 --- /dev/null +++ b/src/IdentitySvc/Pages/Device/ViewModel.cs @@ -0,0 +1,25 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +namespace IdentitySvc.Pages.Device; + +public class ViewModel +{ + public string? ClientName { get; set; } + public string? ClientUrl { get; set; } + public string? ClientLogoUrl { get; set; } + public bool AllowRememberConsent { get; set; } + + public IEnumerable IdentityScopes { get; set; } = Enumerable.Empty(); + public IEnumerable ApiScopes { get; set; } = Enumerable.Empty(); +} + +public class ScopeViewModel +{ + public string? Value { get; set; } + public string? DisplayName { get; set; } + public string? Description { get; set; } + public bool Emphasize { get; set; } + public bool Required { get; set; } + public bool Checked { get; set; } +} diff --git a/src/IdentitySvc/Pages/Device/_ScopeListItem.cshtml b/src/IdentitySvc/Pages/Device/_ScopeListItem.cshtml new file mode 100644 index 0000000..a930990 --- /dev/null +++ b/src/IdentitySvc/Pages/Device/_ScopeListItem.cshtml @@ -0,0 +1,35 @@ +@using IdentitySvc.Pages.Device +@model ScopeViewModel + +
  • + + @if (Model.Required) + { + (required) + } + @if (Model.Description != null) + { +
    + +
    + } +
    • \ No newline at end of file diff --git a/src/IdentitySvc/Pages/Diagnostics/Index.cshtml b/src/IdentitySvc/Pages/Diagnostics/Index.cshtml new file mode 100644 index 0000000..76a5c8f --- /dev/null +++ b/src/IdentitySvc/Pages/Diagnostics/Index.cshtml @@ -0,0 +1,67 @@ +@page +@model IdentitySvc.Pages.Diagnostics.Index + +
    +
    +

    Authentication Cookie

    +
    + +
    +
    +
    +
    +

    Claims

    +
    +
    + @if(Model.View.AuthenticateResult.Principal != null) + { +
    + @foreach (var claim in Model.View.AuthenticateResult.Principal.Claims) + { +
    @claim.Type
    +
    @claim.Value
    + } +
    + } +
    +
    +
    + +
    +
    +
    +

    Properties

    +
    +
    +
    + @if (Model.View.AuthenticateResult.Properties != null) + { + @foreach (var prop in Model.View.AuthenticateResult.Properties.Items) + { +
    @prop.Key
    +
    @prop.Value
    + } + } + @if (Model.View.Clients.Any()) + { +
    Clients
    +
    + @{ + var clients = Model.View.Clients.ToArray(); + for(var i = 0; i < clients.Length; i++) + { + @clients[i] + if (i < clients.Length - 1) + { + , + } + } + } +
    + } +
    +
    +
    +
    +
    +
    \ No newline at end of file diff --git a/src/IdentitySvc/Pages/Diagnostics/Index.cshtml.cs b/src/IdentitySvc/Pages/Diagnostics/Index.cshtml.cs new file mode 100644 index 0000000..a693057 --- /dev/null +++ b/src/IdentitySvc/Pages/Diagnostics/Index.cshtml.cs @@ -0,0 +1,34 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +using Microsoft.AspNetCore.Authentication; +using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc.RazorPages; +using Microsoft.AspNetCore.Authorization; + +namespace IdentitySvc.Pages.Diagnostics; + +[SecurityHeaders] +[Authorize] +public class Index : PageModel +{ + public ViewModel View { get; set; } = default!; + + public async Task OnGet() + { + var localAddresses = new List { "127.0.0.1", "::1" }; + if(HttpContext.Connection.LocalIpAddress != null) + { + localAddresses.Add(HttpContext.Connection.LocalIpAddress.ToString()); + } + + if (!localAddresses.Contains(HttpContext.Connection.RemoteIpAddress?.ToString())) + { + return NotFound(); + } + + View = new ViewModel(await HttpContext.AuthenticateAsync()); + + return Page(); + } +} diff --git a/src/IdentitySvc/Pages/Diagnostics/ViewModel.cs b/src/IdentitySvc/Pages/Diagnostics/ViewModel.cs new file mode 100644 index 0000000..7e77983 --- /dev/null +++ b/src/IdentitySvc/Pages/Diagnostics/ViewModel.cs @@ -0,0 +1,32 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +using IdentityModel; +using Microsoft.AspNetCore.Authentication; +using System.Text; +using System.Text.Json; + +namespace IdentitySvc.Pages.Diagnostics; + +public class ViewModel +{ + public ViewModel(AuthenticateResult result) + { + AuthenticateResult = result; + + if (result?.Properties?.Items.TryGetValue("client_list", out var encoded) == true) + { + if (encoded != null) + { + var bytes = Base64Url.Decode(encoded); + var value = Encoding.UTF8.GetString(bytes); + Clients = JsonSerializer.Deserialize(value) ?? Enumerable.Empty(); + return; + } + } + Clients = Enumerable.Empty(); + } + + public AuthenticateResult AuthenticateResult { get; } + public IEnumerable Clients { get; } +} \ No newline at end of file diff --git a/src/IdentitySvc/Pages/Extensions.cs b/src/IdentitySvc/Pages/Extensions.cs new file mode 100644 index 0000000..fdf6959 --- /dev/null +++ b/src/IdentitySvc/Pages/Extensions.cs @@ -0,0 +1,42 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +using Duende.IdentityServer.Models; +using Microsoft.AspNetCore.Authentication; +using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc.RazorPages; + +namespace IdentitySvc.Pages; + +public static class Extensions +{ + /// + /// Determines if the authentication scheme support signout. + /// + internal static async Task GetSchemeSupportsSignOutAsync(this HttpContext context, string scheme) + { + var provider = context.RequestServices.GetRequiredService(); + var handler = await provider.GetHandlerAsync(context, scheme); + return (handler is IAuthenticationSignOutHandler); + } + + /// + /// Checks if the redirect URI is for a native client. + /// + internal static bool IsNativeClient(this AuthorizationRequest context) + { + return !context.RedirectUri.StartsWith("https", StringComparison.Ordinal) + && !context.RedirectUri.StartsWith("http", StringComparison.Ordinal); + } + + /// + /// Renders a loading page that is used to redirect back to the redirectUri. + /// + internal static IActionResult LoadingPage(this PageModel page, string? redirectUri) + { + page.HttpContext.Response.StatusCode = 200; + page.HttpContext.Response.Headers["Location"] = ""; + + return page.RedirectToPage("/Redirect/Index", new { RedirectUri = redirectUri }); + } +} \ No newline at end of file diff --git a/src/IdentitySvc/Pages/ExternalLogin/Callback.cshtml b/src/IdentitySvc/Pages/ExternalLogin/Callback.cshtml new file mode 100644 index 0000000..5603939 --- /dev/null +++ b/src/IdentitySvc/Pages/ExternalLogin/Callback.cshtml @@ -0,0 +1,19 @@ +@page +@model IdentitySvc.Pages.ExternalLogin.Callback + +@{ + Layout = null; +} + + + + + + + + +
    + +
    + + \ No newline at end of file diff --git a/src/IdentitySvc/Pages/ExternalLogin/Callback.cshtml.cs b/src/IdentitySvc/Pages/ExternalLogin/Callback.cshtml.cs new file mode 100644 index 0000000..1468400 --- /dev/null +++ b/src/IdentitySvc/Pages/ExternalLogin/Callback.cshtml.cs @@ -0,0 +1,203 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +using System.Security.Claims; +using Duende.IdentityServer; +using Duende.IdentityServer.Events; +using Duende.IdentityServer.Services; +using IdentityModel; +using IdentitySvc.Models; +using Microsoft.AspNetCore.Authentication; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Identity; +using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc.RazorPages; + +namespace IdentitySvc.Pages.ExternalLogin; + +[AllowAnonymous] +[SecurityHeaders] +public class Callback : PageModel +{ + private readonly UserManager _userManager; + private readonly SignInManager _signInManager; + private readonly IIdentityServerInteractionService _interaction; + private readonly ILogger _logger; + private readonly IEventService _events; + + public Callback( + IIdentityServerInteractionService interaction, + IEventService events, + ILogger logger, + UserManager userManager, + SignInManager signInManager) + { + _userManager = userManager; + _signInManager = signInManager; + _interaction = interaction; + _logger = logger; + _events = events; + } + + public async Task OnGet() + { + // read external identity from the temporary cookie + var result = await HttpContext.AuthenticateAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme); + if (result.Succeeded != true) + { + throw new InvalidOperationException($"External authentication error: { result.Failure }"); + } + + var externalUser = result.Principal ?? + throw new InvalidOperationException("External authentication produced a null Principal"); + + if (_logger.IsEnabled(LogLevel.Debug)) + { + var externalClaims = externalUser.Claims.Select(c => $"{c.Type}: {c.Value}"); + _logger.ExternalClaims(externalClaims); + } + + // lookup our user and external provider info + // try to determine the unique id of the external user (issued by the provider) + // the most common claim type for that are the sub claim and the NameIdentifier + // depending on the external provider, some other claim type might be used + var userIdClaim = externalUser.FindFirst(JwtClaimTypes.Subject) ?? + externalUser.FindFirst(ClaimTypes.NameIdentifier) ?? + throw new InvalidOperationException("Unknown userid"); + + var provider = result.Properties.Items["scheme"] ?? throw new InvalidOperationException("Null scheme in authentiation properties"); + var providerUserId = userIdClaim.Value; + + // find external user + var user = await _userManager.FindByLoginAsync(provider, providerUserId); + if (user == null) + { + // this might be where you might initiate a custom workflow for user registration + // in this sample we don't show how that would be done, as our sample implementation + // simply auto-provisions new external user + user = await AutoProvisionUserAsync(provider, providerUserId, externalUser.Claims); + } + + // this allows us to collect any additional claims or properties + // for the specific protocols used and store them in the local auth cookie. + // this is typically used to store data needed for signout from those protocols. + var additionalLocalClaims = new List(); + var localSignInProps = new AuthenticationProperties(); + CaptureExternalLoginContext(result, additionalLocalClaims, localSignInProps); + + // issue authentication cookie for user + await _signInManager.SignInWithClaimsAsync(user, localSignInProps, additionalLocalClaims); + + // delete temporary cookie used during external authentication + await HttpContext.SignOutAsync(IdentityServerConstants.ExternalCookieAuthenticationScheme); + + // retrieve return URL + var returnUrl = result.Properties.Items["returnUrl"] ?? "~/"; + + // check if external login is in the context of an OIDC request + var context = await _interaction.GetAuthorizationContextAsync(returnUrl); + await _events.RaiseAsync(new UserLoginSuccessEvent(provider, providerUserId, user.Id, user.UserName, true, context?.Client.ClientId)); + Telemetry.Metrics.UserLogin(context?.Client.ClientId, provider!); + + if (context != null) + { + if (context.IsNativeClient()) + { + // The client is native, so this change in how to + // return the response is for better UX for the end user. + return this.LoadingPage(returnUrl); + } + } + + return Redirect(returnUrl); + } + + [System.Diagnostics.CodeAnalysis.SuppressMessage("Performance", "CA1851:Possible multiple enumerations of 'IEnumerable' collection", Justification = "")] + private async Task AutoProvisionUserAsync(string provider, string providerUserId, IEnumerable claims) + { + var sub = Guid.NewGuid().ToString(); + + var user = new ApplicationUser + { + Id = sub, + UserName = sub, // don't need a username, since the user will be using an external provider to login + }; + + // email + var email = claims.FirstOrDefault(x => x.Type == JwtClaimTypes.Email)?.Value ?? + claims.FirstOrDefault(x => x.Type == ClaimTypes.Email)?.Value; + if (email != null) + { + user.Email = email; + } + + // create a list of claims that we want to transfer into our store + var filtered = new List(); + + // user's display name + var name = claims.FirstOrDefault(x => x.Type == JwtClaimTypes.Name)?.Value ?? + claims.FirstOrDefault(x => x.Type == ClaimTypes.Name)?.Value; + if (name != null) + { + filtered.Add(new Claim(JwtClaimTypes.Name, name)); + } + else + { + var first = claims.FirstOrDefault(x => x.Type == JwtClaimTypes.GivenName)?.Value ?? + claims.FirstOrDefault(x => x.Type == ClaimTypes.GivenName)?.Value; + var last = claims.FirstOrDefault(x => x.Type == JwtClaimTypes.FamilyName)?.Value ?? + claims.FirstOrDefault(x => x.Type == ClaimTypes.Surname)?.Value; + if (first != null && last != null) + { + filtered.Add(new Claim(JwtClaimTypes.Name, first + " " + last)); + } + else if (first != null) + { + filtered.Add(new Claim(JwtClaimTypes.Name, first)); + } + else if (last != null) + { + filtered.Add(new Claim(JwtClaimTypes.Name, last)); + } + } + + var identityResult = await _userManager.CreateAsync(user); + if (!identityResult.Succeeded) throw new InvalidOperationException(identityResult.Errors.First().Description); + + if (filtered.Count != 0) + { + identityResult = await _userManager.AddClaimsAsync(user, filtered); + if (!identityResult.Succeeded) throw new InvalidOperationException(identityResult.Errors.First().Description); + } + + identityResult = await _userManager.AddLoginAsync(user, new UserLoginInfo(provider, providerUserId, provider)); + if (!identityResult.Succeeded) throw new InvalidOperationException(identityResult.Errors.First().Description); + + return user; + } + + // if the external login is OIDC-based, there are certain things we need to preserve to make logout work + // this will be different for WS-Fed, SAML2p or other protocols + private static void CaptureExternalLoginContext(AuthenticateResult externalResult, List localClaims, AuthenticationProperties localSignInProps) + { + ArgumentNullException.ThrowIfNull(externalResult.Principal, nameof(externalResult.Principal)); + + // capture the idp used to login, so the session knows where the user came from + localClaims.Add(new Claim(JwtClaimTypes.IdentityProvider, externalResult.Properties?.Items["scheme"] ?? "unknown identity provider")); + + // if the external system sent a session id claim, copy it over + // so we can use it for single sign-out + var sid = externalResult.Principal.Claims.FirstOrDefault(x => x.Type == JwtClaimTypes.SessionId); + if (sid != null) + { + localClaims.Add(new Claim(JwtClaimTypes.SessionId, sid.Value)); + } + + // if the external provider issued an id_token, we'll keep it for signout + var idToken = externalResult.Properties?.GetTokenValue("id_token"); + if (idToken != null) + { + localSignInProps.StoreTokens(new[] { new AuthenticationToken { Name = "id_token", Value = idToken } }); + } + } +} diff --git a/src/IdentitySvc/Pages/ExternalLogin/Challenge.cshtml b/src/IdentitySvc/Pages/ExternalLogin/Challenge.cshtml new file mode 100644 index 0000000..791f8fa --- /dev/null +++ b/src/IdentitySvc/Pages/ExternalLogin/Challenge.cshtml @@ -0,0 +1,19 @@ +@page +@model IdentitySvc.Pages.ExternalLogin.Challenge + +@{ + Layout = null; +} + + + + + + + + +
    + +
    + + \ No newline at end of file diff --git a/src/IdentitySvc/Pages/ExternalLogin/Challenge.cshtml.cs b/src/IdentitySvc/Pages/ExternalLogin/Challenge.cshtml.cs new file mode 100644 index 0000000..17f1d23 --- /dev/null +++ b/src/IdentitySvc/Pages/ExternalLogin/Challenge.cshtml.cs @@ -0,0 +1,48 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +using Duende.IdentityServer.Services; +using Microsoft.AspNetCore.Authentication; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc.RazorPages; + +namespace IdentitySvc.Pages.ExternalLogin; + +[AllowAnonymous] +[SecurityHeaders] +public class Challenge : PageModel +{ + private readonly IIdentityServerInteractionService _interactionService; + + public Challenge(IIdentityServerInteractionService interactionService) + { + _interactionService = interactionService; + } + + public IActionResult OnGet(string scheme, string? returnUrl) + { + if (string.IsNullOrEmpty(returnUrl)) returnUrl = "~/"; + + // validate returnUrl - either it is a valid OIDC URL or back to a local page + if (Url.IsLocalUrl(returnUrl) == false && _interactionService.IsValidReturnUrl(returnUrl) == false) + { + // user might have clicked on a malicious link - should be logged + throw new ArgumentException("invalid return URL"); + } + + // start challenge and roundtrip the return URL and scheme + var props = new AuthenticationProperties + { + RedirectUri = Url.Page("/externallogin/callback"), + + Items = + { + { "returnUrl", returnUrl }, + { "scheme", scheme }, + } + }; + + return Challenge(props, scheme); + } +} diff --git a/src/IdentitySvc/Pages/Grants/Index.cshtml b/src/IdentitySvc/Pages/Grants/Index.cshtml new file mode 100644 index 0000000..a8be8a6 --- /dev/null +++ b/src/IdentitySvc/Pages/Grants/Index.cshtml @@ -0,0 +1,90 @@ +@page +@model IdentitySvc.Pages.Grants.Index +@{ +} + +
    +
    +

    Client Application Permissions

    +

    Below is the list of applications you have given permission to and the resources they have access to.

    +
    + + @if (!Model.View.Grants.Any()) + { +
    +
    +
    + You have not given access to any applications +
    +
    +
    + } + else + { + foreach (var grant in Model.View.Grants) + { +
    +
    +
    +
    + @if (grant.ClientLogoUrl != null) + { + + } + @grant.ClientName +
    + +
    +
    + + +
    +
    +
    +
    + +
      + @if (grant.Description != null) + { +
    • + @grant.Description +
      • + } +
    • + @grant.Created.ToString("yyyy-MM-dd") +
      • + @if (grant.Expires.HasValue) + { +
    • + @grant.Expires.Value.ToString("yyyy-MM-dd") +
      • + } + @if (grant.IdentityGrantNames.Any()) + { +
    • + +
        + @foreach (var name in grant.IdentityGrantNames) + { +
      • @name
        • + } +
      +
      • + } + @if (grant.ApiGrantNames.Any()) + { +
    • + +
        + @foreach (var name in grant.ApiGrantNames) + { +
      • @name
        • + } +
      +
      • + } +
    +
    + } + } +
    \ No newline at end of file diff --git a/src/IdentitySvc/Pages/Grants/Index.cshtml.cs b/src/IdentitySvc/Pages/Grants/Index.cshtml.cs new file mode 100644 index 0000000..ddef621 --- /dev/null +++ b/src/IdentitySvc/Pages/Grants/Index.cshtml.cs @@ -0,0 +1,82 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +using Duende.IdentityServer.Events; +using Duende.IdentityServer.Extensions; +using Duende.IdentityServer.Services; +using Duende.IdentityServer.Stores; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc.RazorPages; + +namespace IdentitySvc.Pages.Grants; + +[SecurityHeaders] +[Authorize] +public class Index : PageModel +{ + private readonly IIdentityServerInteractionService _interaction; + private readonly IClientStore _clients; + private readonly IResourceStore _resources; + private readonly IEventService _events; + + public Index(IIdentityServerInteractionService interaction, + IClientStore clients, + IResourceStore resources, + IEventService events) + { + _interaction = interaction; + _clients = clients; + _resources = resources; + _events = events; + } + + public ViewModel View { get; set; } = default!; + + public async Task OnGet() + { + var grants = await _interaction.GetAllUserGrantsAsync(); + + var list = new List(); + foreach (var grant in grants) + { + var client = await _clients.FindClientByIdAsync(grant.ClientId); + if (client != null) + { + var resources = await _resources.FindResourcesByScopeAsync(grant.Scopes); + + var item = new GrantViewModel() + { + ClientId = client.ClientId, + ClientName = client.ClientName ?? client.ClientId, + ClientLogoUrl = client.LogoUri, + ClientUrl = client.ClientUri, + Description = grant.Description, + Created = grant.CreationTime, + Expires = grant.Expiration, + IdentityGrantNames = resources.IdentityResources.Select(x => x.DisplayName ?? x.Name).ToArray(), + ApiGrantNames = resources.ApiScopes.Select(x => x.DisplayName ?? x.Name).ToArray() + }; + + list.Add(item); + } + } + + View = new ViewModel + { + Grants = list + }; + } + + [BindProperty] + public string? ClientId { get; set; } + + public async Task OnPost() + { + await _interaction.RevokeUserConsentAsync(ClientId); + await _events.RaiseAsync(new GrantsRevokedEvent(User.GetSubjectId(), ClientId)); + Telemetry.Metrics.GrantsRevoked(ClientId); + + return RedirectToPage("/Grants/Index"); + } +} diff --git a/src/IdentitySvc/Pages/Grants/ViewModel.cs b/src/IdentitySvc/Pages/Grants/ViewModel.cs new file mode 100644 index 0000000..fb21c2b --- /dev/null +++ b/src/IdentitySvc/Pages/Grants/ViewModel.cs @@ -0,0 +1,22 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +namespace IdentitySvc.Pages.Grants; + +public class ViewModel +{ + public IEnumerable Grants { get; set; } = Enumerable.Empty(); +} + +public class GrantViewModel +{ + public string? ClientId { get; set; } + public string? ClientName { get; set; } + public string? ClientUrl { get; set; } + public string? ClientLogoUrl { get; set; } + public string? Description { get; set; } + public DateTime Created { get; set; } + public DateTime? Expires { get; set; } + public IEnumerable IdentityGrantNames { get; set; } = Enumerable.Empty(); + public IEnumerable ApiGrantNames { get; set; } = Enumerable.Empty(); +} diff --git a/src/IdentitySvc/Pages/Home/Error/Index.cshtml b/src/IdentitySvc/Pages/Home/Error/Index.cshtml new file mode 100644 index 0000000..b1c2dd5 --- /dev/null +++ b/src/IdentitySvc/Pages/Home/Error/Index.cshtml @@ -0,0 +1,35 @@ +@page +@model IdentitySvc.Pages.Error.Index + +
    +
    +

    Error

    +
    + +
    +
    +
    + Sorry, there was an error + + @if (Model.View.Error != null) + { + + + : @Model.View.Error.Error + + + + if (Model.View.Error.ErrorDescription != null) + { +
    @Model.View.Error.ErrorDescription
    + } + } +
    + + @if (Model?.View?.Error?.RequestId != null) + { +
    Request Id: @Model.View.Error.RequestId
    + } +
    +
    +
    diff --git a/src/IdentitySvc/Pages/Home/Error/Index.cshtml.cs b/src/IdentitySvc/Pages/Home/Error/Index.cshtml.cs new file mode 100644 index 0000000..f100b69 --- /dev/null +++ b/src/IdentitySvc/Pages/Home/Error/Index.cshtml.cs @@ -0,0 +1,40 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +using Duende.IdentityServer.Services; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc.RazorPages; + +namespace IdentitySvc.Pages.Error; + +[AllowAnonymous] +[SecurityHeaders] +public class Index : PageModel +{ + private readonly IIdentityServerInteractionService _interaction; + private readonly IWebHostEnvironment _environment; + + public ViewModel View { get; set; } = new(); + + public Index(IIdentityServerInteractionService interaction, IWebHostEnvironment environment) + { + _interaction = interaction; + _environment = environment; + } + + public async Task OnGet(string? errorId) + { + // retrieve error details from identityserver + var message = await _interaction.GetErrorContextAsync(errorId); + if (message != null) + { + View.Error = message; + + if (!_environment.IsDevelopment()) + { + // only show in development + message.ErrorDescription = null; + } + } + } +} diff --git a/src/IdentitySvc/Pages/Home/Error/ViewModel.cs b/src/IdentitySvc/Pages/Home/Error/ViewModel.cs new file mode 100644 index 0000000..88fa1a4 --- /dev/null +++ b/src/IdentitySvc/Pages/Home/Error/ViewModel.cs @@ -0,0 +1,20 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +using Duende.IdentityServer.Models; + +namespace IdentitySvc.Pages.Error; + +public class ViewModel +{ + public ViewModel() + { + } + + public ViewModel(string error) + { + Error = new ErrorMessage { Error = error }; + } + + public ErrorMessage? Error { get; set; } +} \ No newline at end of file diff --git a/src/IdentitySvc/Pages/IdentityServerSuppressions.cs b/src/IdentitySvc/Pages/IdentityServerSuppressions.cs new file mode 100644 index 0000000..7784a9a --- /dev/null +++ b/src/IdentitySvc/Pages/IdentityServerSuppressions.cs @@ -0,0 +1,22 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +// This file is used by Code Analysis to maintain SuppressMessage +// attributes that are applied to this project. +// Project-level suppressions either have no target or are given +// a specific target and scoped to a namespace, type, member, etc. + +using System.Diagnostics.CodeAnalysis; + +// global/shared +[assembly: SuppressMessage("Design", "CA1054:URI-like parameters should not be strings", Justification = "Consistent with the IdentityServer APIs")] +[assembly: SuppressMessage("Design", "CA1056:URI-like properties should not be strings", Justification = "Consistent with the IdentityServer APIs")] +[assembly: SuppressMessage("Reliability", "CA2007:Consider calling ConfigureAwait on the awaited task", Justification = "No need for ConfigureAwait in ASP.NET Core application code, as there is no SynchronizationContext.")] + +// page specific +[assembly: SuppressMessage("Design", "CA1002:Do not expose generic lists", Justification = "TestUsers are not designed to be extended", Scope = "member", Target = "~P:IdentitySvc.TestUsers.Users")] +[assembly: SuppressMessage("Design", "CA1034:Nested types should not be visible", Justification = "ExternalProvider is nested by design", Scope = "type", Target = "~T:IdentitySvc.Pages.Login.ViewModel.ExternalProvider")] +[assembly: SuppressMessage("Naming", "CA1716:Identifiers should not match keywords", Justification = "This namespace is just for organization, and won't be referenced elsewhere", Scope = "namespace", Target = "~N:IdentitySvc.Pages.Error")] +[assembly: SuppressMessage("Naming", "CA1724:Type names should not match namespaces", Justification = "Namespaces of pages are not likely to be used elsewhere, so there is little chance of confusion", Scope = "type", Target = "~T:IdentitySvc.Pages.Ciba.Consent")] +[assembly: SuppressMessage("Naming", "CA1724:Type names should not match namespaces", Justification = "Namespaces of pages are not likely to be used elsewhere, so there is little chance of confusion", Scope = "type", Target = "~T:IdentitySvc.Pages.Extensions")] +[assembly: SuppressMessage("Performance", "CA1805:Do not initialize unnecessarily", Justification = "This is for clarity and consistency with the surrounding code", Scope = "member", Target = "~F:IdentitySvc.Pages.Logout.LogoutOptions.AutomaticRedirectAfterSignOut")] diff --git a/src/IdentitySvc/Pages/Index.cshtml b/src/IdentitySvc/Pages/Index.cshtml new file mode 100644 index 0000000..65465c4 --- /dev/null +++ b/src/IdentitySvc/Pages/Index.cshtml @@ -0,0 +1,46 @@ +@page +@model IdentitySvc.Pages.Home.Index + +
    +

    + + Welcome to Duende IdentityServer + (version @Model.Version) +

    + +
      +
    • + IdentityServer publishes a + discovery document + where you can find metadata and links to all the endpoints, key material, etc. +
      • +
    • + Click here to see the claims for your current session. +
      • +
    • + Click here to manage your stored grants. +
      • +
    • + Click here to view the server side sessions. +
      • +
    • + Click here to view your pending CIBA login requests. +
      • +
    • + Here are links to the + source code repository, + and ready to use samples. +
      • +
    + + @if(Model.License != null) + { +

    License

    +
    +
    Serial Number
    +
    @Model.License.SerialNumber
    +
    Expiration
    +
    @Model.License.Expiration!.Value.ToLongDateString()
    +
    + } +
    diff --git a/src/IdentitySvc/Pages/Index.cshtml.cs b/src/IdentitySvc/Pages/Index.cshtml.cs new file mode 100644 index 0000000..12d1f1a --- /dev/null +++ b/src/IdentitySvc/Pages/Index.cshtml.cs @@ -0,0 +1,27 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +using Duende.IdentityServer; +using System.Reflection; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc.RazorPages; + +namespace IdentitySvc.Pages.Home; + +[AllowAnonymous] +public class Index : PageModel +{ + public Index(IdentityServerLicense? license = null) + { + License = license; + } + + public string Version + { + get => typeof(Duende.IdentityServer.Hosting.IdentityServerMiddleware).Assembly + .GetCustomAttribute() + ?.InformationalVersion.Split('+').First() + ?? "unavailable"; + } + public IdentityServerLicense? License { get; } +} diff --git a/src/IdentitySvc/Pages/Log.cs b/src/IdentitySvc/Pages/Log.cs new file mode 100644 index 0000000..4254325 --- /dev/null +++ b/src/IdentitySvc/Pages/Log.cs @@ -0,0 +1,87 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +namespace IdentitySvc.Pages; + +internal static class Log +{ + private static readonly Action _invalidId = LoggerMessage.Define( + LogLevel.Error, + EventIds.InvalidId, + "Invalid id {Id}"); + + public static void InvalidId(this ILogger logger, string? id) + { + _invalidId(logger, id, null); + } + + private static readonly Action _invalidBackchannelLoginId = LoggerMessage.Define( + LogLevel.Warning, + EventIds.InvalidBackchannelLoginId, + "Invalid backchannel login id {Id}"); + + public static void InvalidBackchannelLoginId(this ILogger logger, string? id) + { + _invalidBackchannelLoginId(logger, id, null); + } + + private static Action, Exception?> _externalClaims = LoggerMessage.Define>( + LogLevel.Debug, + EventIds.ExternalClaims, + "External claims: {Claims}"); + + public static void ExternalClaims(this ILogger logger, IEnumerable claims) + { + _externalClaims(logger, claims, null); + } + + private static Action _noMatchingBackchannelLoginRequest = LoggerMessage.Define( + LogLevel.Error, + EventIds.NoMatchingBackchannelLoginRequest, + "No backchannel login request matching id: {Id}"); + + public static void NoMatchingBackchannelLoginRequest(this ILogger logger, string id) + { + _noMatchingBackchannelLoginRequest(logger, id, null); + } + + private static Action _noConsentMatchingRequest = LoggerMessage.Define( + LogLevel.Error, + EventIds.NoConsentMatchingRequest, + "No consent request matching request: {ReturnUrl}"); + + public static void NoConsentMatchingRequest(this ILogger logger, string returnUrl) + { + _noConsentMatchingRequest(logger, returnUrl, null); + } + + +} + +internal static class EventIds +{ + private const int UIEventsStart = 10000; + + ////////////////////////////// + // Consent + ////////////////////////////// + private const int ConsentEventsStart = UIEventsStart + 1000; + public const int InvalidId = ConsentEventsStart + 0; + public const int NoConsentMatchingRequest = ConsentEventsStart + 1; + + ////////////////////////////// + // External Login + ////////////////////////////// + private const int ExternalLoginEventsStart = UIEventsStart + 2000; + public const int ExternalClaims = ExternalLoginEventsStart + 0; + + ////////////////////////////// + // CIBA + ////////////////////////////// + private const int CibaEventsStart = UIEventsStart + 3000; + public const int InvalidBackchannelLoginId = CibaEventsStart + 0; + public const int NoMatchingBackchannelLoginRequest = CibaEventsStart + 1; + + + +} diff --git a/src/IdentitySvc/Pages/Redirect/Index.cshtml b/src/IdentitySvc/Pages/Redirect/Index.cshtml new file mode 100644 index 0000000..4dd58ee --- /dev/null +++ b/src/IdentitySvc/Pages/Redirect/Index.cshtml @@ -0,0 +1,14 @@ +@page +@model IdentitySvc.Pages.Redirect.IndexModel +@{ +} + +
    +
    +

    You are now being returned to the application

    +

    Once complete, you may close this tab.

    +
    +
    + + + diff --git a/src/IdentitySvc/Pages/Redirect/Index.cshtml.cs b/src/IdentitySvc/Pages/Redirect/Index.cshtml.cs new file mode 100644 index 0000000..b128d75 --- /dev/null +++ b/src/IdentitySvc/Pages/Redirect/Index.cshtml.cs @@ -0,0 +1,25 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc.RazorPages; + +namespace IdentitySvc.Pages.Redirect; + +[AllowAnonymous] +public class IndexModel : PageModel +{ + public string? RedirectUri { get; set; } + + public IActionResult OnGet(string? redirectUri) + { + if (!Url.IsLocalUrl(redirectUri)) + { + return RedirectToPage("/Home/Error/Index"); + } + + RedirectUri = redirectUri; + return Page(); + } +} diff --git a/src/IdentitySvc/Pages/SecurityHeadersAttribute.cs b/src/IdentitySvc/Pages/SecurityHeadersAttribute.cs new file mode 100644 index 0000000..684acf2 --- /dev/null +++ b/src/IdentitySvc/Pages/SecurityHeadersAttribute.cs @@ -0,0 +1,56 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +using Microsoft.AspNetCore.Mvc.Filters; +using Microsoft.AspNetCore.Mvc.RazorPages; + +namespace IdentitySvc.Pages; + +public sealed class SecurityHeadersAttribute : ActionFilterAttribute +{ + public override void OnResultExecuting(ResultExecutingContext context) + { + ArgumentNullException.ThrowIfNull(context, nameof(context)); + + var result = context.Result; + if (result is PageResult) + { + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options + if (!context.HttpContext.Response.Headers.ContainsKey("X-Content-Type-Options")) + { + context.HttpContext.Response.Headers.Append("X-Content-Type-Options", "nosniff"); + } + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + if (!context.HttpContext.Response.Headers.ContainsKey("X-Frame-Options")) + { + context.HttpContext.Response.Headers.Append("X-Frame-Options", "DENY"); + } + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy + var csp = "default-src 'self'; object-src 'none'; frame-ancestors 'none'; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self';"; + // also consider adding upgrade-insecure-requests once you have HTTPS in place for production + //csp += "upgrade-insecure-requests;"; + // also an example if you need client images to be displayed from twitter + // csp += "img-src 'self' https://pbs.twimg.com;"; + + // once for standards compliant browsers + if (!context.HttpContext.Response.Headers.ContainsKey("Content-Security-Policy")) + { + context.HttpContext.Response.Headers.Append("Content-Security-Policy", csp); + } + // and once again for IE + if (!context.HttpContext.Response.Headers.ContainsKey("X-Content-Security-Policy")) + { + context.HttpContext.Response.Headers.Append("X-Content-Security-Policy", csp); + } + + // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy + var referrer_policy = "no-referrer"; + if (!context.HttpContext.Response.Headers.ContainsKey("Referrer-Policy")) + { + context.HttpContext.Response.Headers.Append("Referrer-Policy", referrer_policy); + } + } + } +} \ No newline at end of file diff --git a/src/IdentitySvc/Pages/ServerSideSessions/Index.cshtml b/src/IdentitySvc/Pages/ServerSideSessions/Index.cshtml new file mode 100644 index 0000000..880cacf --- /dev/null +++ b/src/IdentitySvc/Pages/ServerSideSessions/Index.cshtml @@ -0,0 +1,147 @@ +@page +@model IdentitySvc.Pages.ServerSideSessions.IndexModel + +
    +
    +
    +
    +
    +

    User Sessions

    +
    + +
    + + @if (Model.UserSessions != null) + { +
    +
    + @if (Model.UserSessions.HasPrevResults) + { + Prev + } +
    +
    +
    +
    + + +
    +
    + + +
    +
    + + +
    +
    + +
    +
    +
    +
    + @if (Model.UserSessions.HasNextResults) + { + Next + } +
    +
    + + @if (Model.UserSessions.TotalCount.HasValue) + { +
    + @if (Model.UserSessions.CurrentPage.HasValue && Model.UserSessions.TotalPages.HasValue) + { + + Total Results: @Model.UserSessions.TotalCount, + Page @Model.UserSessions.CurrentPage of @Model.UserSessions.TotalPages + + } + else + { + + Total Results: @Model.UserSessions.TotalCount + + } +
    + } + +
    + + @if (Model.UserSessions.Results.Any()) + { +
    + + + + + + + + + + + + + @foreach (var session in Model.UserSessions.Results) + { + + + + + + + + + + } + +
    Subject IdSession IdDisplay NameCreatedExpires
    @session.SubjectId@session.SessionId@session.DisplayName@session.Created@session.Expires +
    + + +
    +
    + Clients: + @if (session.ClientIds?.Any() == true) + { + @(session.ClientIds.Aggregate((x, y) => $"{x}, {y}")) + } + else + { + @("None") + } +
    +
    + } + else + { +
    No User Sessions
    + } + } + else + { +
    +
    + You do not have server-side sessions enabled. + To do so, use AddServerSideSessions on your IdentityServer configuration. + See the documentation for more information. +
    +
    + } +
    +
    +
    +
    +
    \ No newline at end of file diff --git a/src/IdentitySvc/Pages/ServerSideSessions/Index.cshtml.cs b/src/IdentitySvc/Pages/ServerSideSessions/Index.cshtml.cs new file mode 100644 index 0000000..3045f48 --- /dev/null +++ b/src/IdentitySvc/Pages/ServerSideSessions/Index.cshtml.cs @@ -0,0 +1,67 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +using Duende.IdentityServer.Models; +using Duende.IdentityServer.Services; +using Duende.IdentityServer.Stores; +using Microsoft.AspNetCore.Mvc; +using Microsoft.AspNetCore.Mvc.RazorPages; + +namespace IdentitySvc.Pages.ServerSideSessions +{ + public class IndexModel : PageModel + { + private readonly ISessionManagementService? _sessionManagementService; + + public IndexModel(ISessionManagementService? sessionManagementService = null) + { + _sessionManagementService = sessionManagementService; + } + + public QueryResult? UserSessions { get; set; } + + [BindProperty(SupportsGet = true)] + public string? DisplayNameFilter { get; set; } + + [BindProperty(SupportsGet = true)] + public string? SessionIdFilter { get; set; } + + [BindProperty(SupportsGet = true)] + public string? SubjectIdFilter { get; set; } + + [BindProperty(SupportsGet = true)] + public string? Token { get; set; } + + [BindProperty(SupportsGet = true)] + public string? Prev { get; set; } + + public async Task OnGet() + { + if (_sessionManagementService != null) + { + UserSessions = await _sessionManagementService.QuerySessionsAsync(new SessionQuery + { + ResultsToken = Token, + RequestPriorResults = Prev == "true", + DisplayName = DisplayNameFilter, + SessionId = SessionIdFilter, + SubjectId = SubjectIdFilter + }); + } + } + + [BindProperty] + public string? SessionId { get; set; } + + public async Task OnPost() + { + ArgumentNullException.ThrowIfNull(_sessionManagementService); + + await _sessionManagementService.RemoveSessionsAsync(new RemoveSessionsContext { + SessionId = SessionId, + }); + return RedirectToPage("/ServerSideSessions/Index", new { Token, DisplayNameFilter, SessionIdFilter, SubjectIdFilter, Prev }); + } + } +} + diff --git a/src/IdentitySvc/Pages/Shared/_Layout.cshtml b/src/IdentitySvc/Pages/Shared/_Layout.cshtml new file mode 100644 index 0000000..067a0f0 --- /dev/null +++ b/src/IdentitySvc/Pages/Shared/_Layout.cshtml @@ -0,0 +1,29 @@ + + + + + + + + Duende IdentityServer + + + + + + + + + + + +
    + @RenderBody() +
    + + + + + @RenderSection("scripts", required: false) + + diff --git a/src/IdentitySvc/Pages/Shared/_Nav.cshtml b/src/IdentitySvc/Pages/Shared/_Nav.cshtml new file mode 100644 index 0000000..3f1fdc2 --- /dev/null +++ b/src/IdentitySvc/Pages/Shared/_Nav.cshtml @@ -0,0 +1,33 @@ +@using Duende.IdentityServer.Extensions +@{ + #nullable enable + string? name = null; + if (!true.Equals(ViewData["signed-out"])) + { + name = Context.User?.GetDisplayName(); + } +} + +
    + +
    diff --git a/src/IdentitySvc/Pages/Shared/_ValidationSummary.cshtml b/src/IdentitySvc/Pages/Shared/_ValidationSummary.cshtml new file mode 100644 index 0000000..674d68d --- /dev/null +++ b/src/IdentitySvc/Pages/Shared/_ValidationSummary.cshtml @@ -0,0 +1,7 @@ +@if (ViewContext.ModelState.IsValid == false) +{ +
    + Error +
    +
    +} \ No newline at end of file diff --git a/src/IdentitySvc/Pages/Telemetry.cs b/src/IdentitySvc/Pages/Telemetry.cs new file mode 100644 index 0000000..7690cf2 --- /dev/null +++ b/src/IdentitySvc/Pages/Telemetry.cs @@ -0,0 +1,142 @@ +// Copyright (c) Duende Software. All rights reserved. +// See LICENSE in the project root for license information. + +using System.Diagnostics.Metrics; + +namespace IdentitySvc.Pages; + +#pragma warning disable CA1034 // Nested types should not be visible +#pragma warning disable CA1724 // Type names should not match namespaces + +/// +/// Telemetry helpers for the UI +/// +public static class Telemetry +{ + private static readonly string ServiceVersion = typeof(Telemetry).Assembly.GetName().Version!.ToString(); + + /// + /// Service name for telemetry. + /// + public static readonly string ServiceName = typeof(Telemetry).Assembly.GetName().Name!; + + /// + /// Metrics configuration + /// + public static class Metrics + { +#pragma warning disable 1591 + + /// + /// Name of Counters + /// + public static class Counters + { + public const string Consent = "tokenservice.consent"; + public const string GrantsRevoked = "tokenservice.grants_revoked"; + public const string UserLogin = "tokenservice.user_login"; + public const string UserLogout = "tokenservice.user_logout"; + } + + /// + /// Name of tags + /// + public static class Tags + { + public const string Client = "client"; + public const string Error = "error"; + public const string Idp = "idp"; + public const string Remember = "remember"; + public const string Scope = "scope"; + public const string Consent = "consent"; + } + + /// + /// Values of tags + /// + public static class TagValues + { + public const string Granted = "granted"; + public const string Denied = "denied"; + } + +#pragma warning restore 1591 + + /// + /// Meter for the IdentityServer host project + /// + private static readonly Meter Meter = new Meter(ServiceName, ServiceVersion); + + private static Counter ConsentCounter = Meter.CreateCounter(Counters.Consent); + + /// + /// Helper method to increase counter. The scopes + /// are expanded and called one by one to not cause a combinatory explosion of scopes. + /// + /// Client id + /// Scope names. Each element is added on it's own to the counter + public static void ConsentGranted(string clientId, IEnumerable scopes, bool remember) + { + ArgumentNullException.ThrowIfNull(scopes); + + foreach (var scope in scopes) + { + ConsentCounter.Add(1, + new(Tags.Client, clientId), + new(Tags.Scope, scope), + new(Tags.Remember, remember), + new(Tags.Consent, TagValues.Granted)); + } + } + + /// + /// Helper method to increase counter. The scopes + /// are expanded and called one by one to not cause a combinatory explosion of scopes. + /// + /// Client id + /// Scope names. Each element is added on it's own to the counter + public static void ConsentDenied(string clientId, IEnumerable scopes) + { + ArgumentNullException.ThrowIfNull(scopes); + foreach (var scope in scopes) + { + ConsentCounter.Add(1, new(Tags.Client, clientId), new(Tags.Scope, scope), new(Tags.Consent, TagValues.Denied)); + } + } + + private static Counter GrantsRevokedCounter = Meter.CreateCounter(Counters.GrantsRevoked); + + /// + /// Helper method to increase the counter. + /// + /// Client id to revoke for, or null for all. + public static void GrantsRevoked(string? clientId) + => GrantsRevokedCounter.Add(1, tag: new(Tags.Client, clientId)); + + private static Counter UserLoginCounter = Meter.CreateCounter(Counters.UserLogin); + + /// + /// Helper method to increase counter. + /// + /// Client Id, if available + public static void UserLogin(string? clientId, string idp) + => UserLoginCounter.Add(1, new(Tags.Client, clientId), new(Tags.Idp, idp)); + + /// + /// Helper method to increase + /// Client Id, if available + /// Error message + public static void UserLoginFailure(string? clientId, string idp, string error) + => UserLoginCounter.Add(1, new(Tags.Client, clientId), new(Tags.Idp, idp), new(Tags.Error, error)); + + private static Counter UserLogoutCounter = Meter.CreateCounter(Counters.UserLogout); + + /// + /// Helper method to increase the counter. + /// + /// Idp/authentication scheme for external authentication, or "local" for built in. + public static void UserLogout(string? idp) + => UserLogoutCounter.Add(1, tag: new(Tags.Idp, idp)); + } +} diff --git a/src/IdentitySvc/Pages/_ViewImports.cshtml b/src/IdentitySvc/Pages/_ViewImports.cshtml new file mode 100644 index 0000000..01b4e92 --- /dev/null +++ b/src/IdentitySvc/Pages/_ViewImports.cshtml @@ -0,0 +1,2 @@ +@using IdentitySvc.Pages +@addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers diff --git a/src/IdentitySvc/Pages/_ViewStart.cshtml b/src/IdentitySvc/Pages/_ViewStart.cshtml new file mode 100644 index 0000000..a5f1004 --- /dev/null +++ b/src/IdentitySvc/Pages/_ViewStart.cshtml @@ -0,0 +1,3 @@ +@{ + Layout = "_Layout"; +} diff --git a/src/IdentitySvc/Program.cs b/src/IdentitySvc/Program.cs new file mode 100644 index 0000000..f93fc80 --- /dev/null +++ b/src/IdentitySvc/Program.cs @@ -0,0 +1,40 @@ +using IdentitySvc; +using Serilog; + +Log.Logger = new LoggerConfiguration() + .WriteTo.Console() + .CreateBootstrapLogger(); + +Log.Information("Starting up"); + +try +{ + var builder = WebApplication.CreateBuilder(args); + + builder.Services.AddControllers(); + + builder.Host.UseSerilog((ctx, lc) => lc + .WriteTo.Console(outputTemplate: "[{Timestamp:HH:mm:ss} {Level}] {SourceContext}{NewLine}{Message:lj}{NewLine}{Exception}{NewLine}") + .Enrich.FromLogContext() + .ReadFrom.Configuration(ctx.Configuration)); + + var app = builder + .ConfigureServices() + .ConfigurePipeline(); + + // this seeding is only for the template to bootstrap the DB and users. + // in production you will likely want a different approach. + SeedData.EnsureSeedData(app); + + app.MapControllers(); + app.Run(); +} +catch (Exception ex) when (ex is not HostAbortedException) +{ + Log.Fatal(ex, "Unhandled exception"); +} +finally +{ + Log.Information("Shut down complete"); + Log.CloseAndFlush(); +} \ No newline at end of file diff --git a/src/IdentitySvc/Properties/launchSettings.json b/src/IdentitySvc/Properties/launchSettings.json new file mode 100644 index 0000000..574583b --- /dev/null +++ b/src/IdentitySvc/Properties/launchSettings.json @@ -0,0 +1,12 @@ +{ + "profiles": { + "SelfHost": { + "commandName": "Project", + "launchBrowser": true, + "environmentVariables": { + "ASPNETCORE_ENVIRONMENT": "Development" + }, + "applicationUrl": "http://localhost:7003" + } + } +} \ No newline at end of file diff --git a/src/IdentitySvc/SeedData.cs b/src/IdentitySvc/SeedData.cs new file mode 100644 index 0000000..a4a9403 --- /dev/null +++ b/src/IdentitySvc/SeedData.cs @@ -0,0 +1,81 @@ +using System.Security.Claims; +using IdentityModel; +using IdentitySvc.Data; +using IdentitySvc.Models; +using Microsoft.AspNetCore.Identity; +using Microsoft.EntityFrameworkCore; +using Serilog; + +namespace IdentitySvc; + +public class SeedData +{ + public static void EnsureSeedData(WebApplication app) + { + using var scope = app.Services.GetRequiredService().CreateScope(); + var context = scope.ServiceProvider.GetRequiredService(); + context.Database.Migrate(); + + var userMgr = scope.ServiceProvider.GetRequiredService>(); + + if (userMgr.Users.Any()) return; + + var alice = userMgr.FindByNameAsync("alice").Result; + if (alice == null) + { + alice = new ApplicationUser + { + UserName = "alice", + Email = "AliceSmith@email.com", + EmailConfirmed = true, + }; + var result = userMgr.CreateAsync(alice, "Pass123$").Result; + if (!result.Succeeded) + { + throw new Exception(result.Errors.First().Description); + } + + result = userMgr.AddClaimsAsync(alice, new Claim[]{ + new Claim(JwtClaimTypes.Name, "Alice Smith"), + }).Result; + if (!result.Succeeded) + { + throw new Exception(result.Errors.First().Description); + } + Log.Debug("alice created"); + } + else + { + Log.Debug("alice already exists"); + } + + var bob = userMgr.FindByNameAsync("bob").Result; + if (bob == null) + { + bob = new ApplicationUser + { + UserName = "bob", + Email = "BobSmith@email.com", + EmailConfirmed = true + }; + var result = userMgr.CreateAsync(bob, "Pass123$").Result; + if (!result.Succeeded) + { + throw new Exception(result.Errors.First().Description); + } + + result = userMgr.AddClaimsAsync(bob, new Claim[]{ + new Claim(JwtClaimTypes.Name, "Bob Smith"), + }).Result; + if (!result.Succeeded) + { + throw new Exception(result.Errors.First().Description); + } + Log.Debug("bob created"); + } + else + { + Log.Debug("bob already exists"); + } + } +} diff --git a/src/IdentitySvc/Services/CustomProfileService.cs b/src/IdentitySvc/Services/CustomProfileService.cs new file mode 100644 index 0000000..ec35e63 --- /dev/null +++ b/src/IdentitySvc/Services/CustomProfileService.cs @@ -0,0 +1,37 @@ +using System.Security.Claims; +using Duende.IdentityServer.Models; +using Duende.IdentityServer.Services; +using IdentityModel; +using Microsoft.AspNetCore.Identity; +using IdentitySvc.Models; + +namespace IdentitySvc.Services; + +public class CustomProfileService : IProfileService +{ + private readonly UserManager _userManager; + + public CustomProfileService(UserManager userManager) + { + _userManager = userManager; + } + + public async Task GetProfileDataAsync(ProfileDataRequestContext context) + { + var user = await _userManager.GetUserAsync(context.Subject); + var existingClaims = await _userManager.GetClaimsAsync(user); + + var claims = new List + { + new Claim("username", user.UserName), + }; + + context.IssuedClaims.AddRange(claims); + context.IssuedClaims.Add(existingClaims.FirstOrDefault(x => x.Type == JwtClaimTypes.Name)); + } + + public Task IsActiveAsync(IsActiveContext context) + { + return Task.CompletedTask; + } +} \ No newline at end of file diff --git a/src/IdentitySvc/buildschema.bat b/src/IdentitySvc/buildschema.bat new file mode 100644 index 0000000..026d29a --- /dev/null +++ b/src/IdentitySvc/buildschema.bat @@ -0,0 +1,3 @@ +rmdir /S /Q "Data/Migrations" + +dotnet ef migrations add Users -c ApplicationDbContext -o Data/Migrations diff --git a/src/IdentitySvc/buildschema.sh b/src/IdentitySvc/buildschema.sh new file mode 100644 index 0000000..50250dc --- /dev/null +++ b/src/IdentitySvc/buildschema.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +rm -rf "Data/Migrations" + +dotnet ef migrations add Users -c ApplicationDbContext -o Data/Migrations diff --git a/src/IdentitySvc/keys/is-signing-key-77EB8A5360F8A1CEBDE8A5C6954780A5.json b/src/IdentitySvc/keys/is-signing-key-77EB8A5360F8A1CEBDE8A5C6954780A5.json new file mode 100644 index 0000000..672d431 --- /dev/null +++ b/src/IdentitySvc/keys/is-signing-key-77EB8A5360F8A1CEBDE8A5C6954780A5.json @@ -0,0 +1 @@ +{"Version":1,"Id":"77EB8A5360F8A1CEBDE8A5C6954780A5","Created":"2025-05-25T15:12:00.8996178Z","Algorithm":"RS256","IsX509Certificate":false,"Data":"CfDJ8BIJalz9mTlNqljDUzwnDk0ARrMXC6Z0QHpR_RqrdI-s1X8AxnD86UJmmJrnZRBXC0-q1fGrU2GMD1bEaR0_EnEw4GU5_fX9B1EVWs5OgQNXazOxkkCj5rnCcJmu779FXuoKbCn95KHCljQFxcAClWlRL4-7ufG5YYn3ka_3He3cHZDEt8Kh2inMFZq2jWjoxi3F668ApZQty2RmEDulv512LYH0NlKXSYgGlb6GtAHzngGjiUTIjwhKtcZ8BhgMzurm-9AZ4zLOcnnrrkA4yPgyL9omiHrkrjgbttmq107N_RsIhV9xfe5g3NqckIhRvWCPbqfzvmtiKWrkgzQJSFr73I5bYH_-9Lf10k7Jd-XMrAuf2Yts8WUNxUVw9Bv_0uSOAgMdAH0gExBKw2WxXBzc71gFUly4_THC8Od5J6CoyQIGdsSJVUskpc5z4QkkUOzoO1BoLsNL8OpkjHpuGMoQDTlC4khHqD37tJPj1cHUt5uwOrJnInmzXXSLK3mTQOtuNmbDSiNO_UJ5DnPDzvhNoPJjiTeuRWGhnd13OiC8Ehk_EIfxmSkw3Xs5v54-97MAL71DD0QYurWc2lnXjqX4_7Kqpx0kmJpTibBHXuykVBa32lMKLroo6vSAkaKPeEFNoMZymIH5oABMVHApUs2jw_TheVwuJ0pvBhFwr4wfCa5x6IDmfuKYsglkA6JZMirIDHMvBuR2OcUuW22GOt6gzMLq2LoLcBHS1pfCip4Awyl4GjW8Rs-_syjlU0Pw_PR45tUTC0Zeq-_JHWSEuhPLDmcojXN9nyPu-Rx-NlMrabK4XG8xNDpMFLTm-3XpqPMHIHNYutm3gbx9oSsEVc98hrMC1GNiLvoM8UWUxAUjlgowy3O7-nfLQRZOPnA8mo6oADjK8HNKBMFuiyiRHYDs5Xb1x4n6_EC0YdV5qutFHnyu3DTsw0K9Z_l_HyryUdIZk6jjrSvLVTlyWNigjVQAgHqu4rGQDLKB1U7o9M8cz5cMLowgUvSytvbkG9D_cmVz6LgUI4K_Nw_mNtn2Zh38NAwF-8tlY4n8QM0c5nfI12Vw1bHv-CvjRDxDga3s-0wpFXhN8ZCXlLIlbIlGZQearIKkgoTy7ssL2Ki0PS7U-8daHlZpoD7EuGL8DaUK33dgS-xfGeiKXvZtTx8ryt_6uZI8kqvzP61kUgQ_PUihFY2U-n4tiSBQ3MW9uzPBWp1w6mLx2yhl_R7OiITUYtLXQieap2psIFdbfFW4MXNgWiyzw0otXdyJHiP56v7_pwBsdz8fXsxmOU9kaec86rJzBiEtfvkVNTPor3f37ctAi9FcsWVHqgcRbebsRSeNZBFas6Cd_xPxQkIEszdB7MAbIJOvBmVfijwpv3n2rplwef_aBLe7wbnmc2nPfDjW5L-QzYaAl7Jm-sDQ9GjVMvVQgrAnAhvz7gTIRbcCq5LN7yzy6dJfQPbqj_ejGImPJZuHGHhH2iad6ppvdrnIcpYVovqXO-ORiMOnNCTzzpRkDNA9cUP-KsxFc7r3pGDViGLB7hMzylcCa1-gRkAfYmcGfxu4s3ePpVk2P-0Vn0SScHItoUJkI6yaIJ6wzmgxxE3Gpx6zxqr9nn5I0pFzKaCktB7ppT0GqFxkBf88Zx1jpo6XRQHGs5rTsoAsjcaOCzqSZy5t9jI_vh8z53A29t5QkIKnROkpHywN5zQ8x2pnpHTk9aXp2geNjDFygVhNccYzVLjXSdMJmmcSG51-lGdbX9dSC6ND7EEXRBWyacOvQKYhRGKXZF8Edn1Hp40JIW3-ZeCF_kJF9VSP_-STftlPy7NGMIYvPre0L9NU2SNVBgBTwwCkaufHGyMufYgwMwJ8jZIUHErRennTW5vYDiagjDq9h6YOg0OLgHR4xwzydrZyJBMm1ICwsBcffgKfWYFsV1XuXtGDVZ8C3b0PtT6jb6D9ixSgxWEIGERuk2cJCQooyvtPSqyYIBS-OBqwQicISfroIFtUEYzaRZQib6BRI-VpvUh1_8FSdFSoje0Je3_DFrd1N-KBVfzOy7hdfZoNpipKeq8Xrmcy7B5yQB3jG0qiKHPvk-VstzGZvf1rzqIxHmaWvNXbCmh8oRLJji3Y3LQEnxOr1lgas5jJzjplDLX7cDo08KgIX4R0yKHp34Xa_J7L8iuGcuoCIUyarxPus-ixmIA1non0Hm-6EOmYpT7h_zKmfE7H4V3i2ys4q0sOdB2y3sOUjzhHGXS8APmwnWzZX0BgStm6MrwTY3TNSC5SGegxdcLxKYpc695_5G6zxA2QRYP9_aU8ZyuRryupaB0gZUXCo9Qmzw3y2RJneteMd1SwX7X-q0W1yoV0w-C19Rd1NWuGUapKSjRYkoF4X_AJb5fAQ6XbBwgxcnlSTdJCshdphnH59mJCCR-DFaSHHpt2c7Fc9NdCN7BqzsnDCeOlnVjiVvFVbtd4mBhSk8715ul8lOpikgt9bzZi","DataProtected":true} \ No newline at end of file diff --git a/src/IdentitySvc/wwwroot/css/site.css b/src/IdentitySvc/wwwroot/css/site.css new file mode 100644 index 0000000..f02c0b1 --- /dev/null +++ b/src/IdentitySvc/wwwroot/css/site.css @@ -0,0 +1,39 @@ +.welcome-page .logo { + width: 64px; +} + +.icon-banner { + width: 32px; +} + +.body-container { + margin-top: 60px; + padding-bottom: 40px; +} + +.welcome-page li { + list-style: none; + padding: 4px; +} + +.logged-out-page iframe { + display: none; + width: 0; + height: 0; +} + +.grants-page .card { + margin-top: 20px; + border-bottom: 1px solid lightgray; +} +.grants-page .card .card-title { + font-size: 120%; + font-weight: bold; +} +.grants-page .card .card-title img { + width: 100px; + height: 100px; +} +.grants-page .card label { + font-weight: bold; +} diff --git a/src/IdentitySvc/wwwroot/css/site.min.css b/src/IdentitySvc/wwwroot/css/site.min.css new file mode 100644 index 0000000..f3e1985 --- /dev/null +++ b/src/IdentitySvc/wwwroot/css/site.min.css @@ -0,0 +1 @@ +.welcome-page .logo{width:64px;}.icon-banner{width:32px;}.body-container{margin-top:60px;padding-bottom:40px;}.welcome-page li{list-style:none;padding:4px;}.logged-out-page iframe{display:none;width:0;height:0;}.grants-page .card{margin-top:20px;border-bottom:1px solid #d3d3d3;}.grants-page .card .card-title{font-size:120%;font-weight:bold;}.grants-page .card .card-title img{width:100px;height:100px;}.grants-page .card label{font-weight:bold;} \ No newline at end of file diff --git a/src/IdentitySvc/wwwroot/css/site.scss b/src/IdentitySvc/wwwroot/css/site.scss new file mode 100644 index 0000000..29d9c85 --- /dev/null +++ b/src/IdentitySvc/wwwroot/css/site.scss @@ -0,0 +1,50 @@ +.welcome-page { + .logo { + width: 64px; + } +} + +.icon-banner { + width: 32px; +} + +.body-container { + margin-top: 60px; + padding-bottom: 40px; +} + +.welcome-page { + li { + list-style: none; + padding: 4px; + } +} + +.logged-out-page { + iframe { + display: none; + width: 0; + height: 0; + } +} + +.grants-page { + .card { + margin-top: 20px; + border-bottom: 1px solid lightgray; + + .card-title { + img { + width: 100px; + height: 100px; + } + + font-size: 120%; + font-weight: bold; + } + + label { + font-weight: bold; + } + } +} diff --git a/src/IdentitySvc/wwwroot/duende-logo.svg b/src/IdentitySvc/wwwroot/duende-logo.svg new file mode 100644 index 0000000..5fa55bf --- /dev/null +++ b/src/IdentitySvc/wwwroot/duende-logo.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/src/IdentitySvc/wwwroot/favicon.ico b/src/IdentitySvc/wwwroot/favicon.ico new file mode 100644 index 0000000..f7ecfd9 Binary files /dev/null and b/src/IdentitySvc/wwwroot/favicon.ico differ diff --git a/src/IdentitySvc/wwwroot/js/signin-redirect.js b/src/IdentitySvc/wwwroot/js/signin-redirect.js new file mode 100644 index 0000000..6ebc569 --- /dev/null +++ b/src/IdentitySvc/wwwroot/js/signin-redirect.js @@ -0,0 +1 @@ +window.location.href = document.querySelector("meta[http-equiv=refresh]").getAttribute("data-url"); diff --git a/src/IdentitySvc/wwwroot/js/signout-redirect.js b/src/IdentitySvc/wwwroot/js/signout-redirect.js new file mode 100644 index 0000000..cdfc5e7 --- /dev/null +++ b/src/IdentitySvc/wwwroot/js/signout-redirect.js @@ -0,0 +1,6 @@ +window.addEventListener("load", function () { + var a = document.querySelector("a.PostLogoutRedirectUri"); + if (a) { + window.location = a.href; + } +}); diff --git a/src/Shared/DTOs/DeleteDto.cs b/src/Shared/DTOs/DeleteDto.cs new file mode 100644 index 0000000..5317d16 --- /dev/null +++ b/src/Shared/DTOs/DeleteDto.cs @@ -0,0 +1,9 @@ +using System.ComponentModel.DataAnnotations; + +namespace Shared.DTOs; + +public class DeleteDto +{ + [Required] + public required string Id { get; set; } +} \ No newline at end of file diff --git a/src/Shared/Shared.csproj b/src/Shared/Shared.csproj index 3a63532..b5a8082 100644 --- a/src/Shared/Shared.csproj +++ b/src/Shared/Shared.csproj @@ -6,4 +6,17 @@ enable + + + true + PreserveNewest + PreserveNewest + + + true + PreserveNewest + PreserveNewest + + + diff --git a/src/Tests/postman/Catalog_Exercices.postman_collection.json b/src/Tests/postman/Catalog_Exercices.postman_collection.json new file mode 100644 index 0000000..159a90a --- /dev/null +++ b/src/Tests/postman/Catalog_Exercices.postman_collection.json @@ -0,0 +1,231 @@ +{ + "info": { + "_postman_id": "c019ebd5-bed6-49ea-a584-086e91bfe503", + "name": "Catalog Exercices", + "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json" + }, + "item": [ + { + "name": "Créer un exercice", + "event": [ + { + "listen": "test", + "script": { + "exec": [ + "var jsonData = pm.response.json();", + "pm.test('Status code is 201', function() {", + " pm.response.to.have.status(201);", + "});", + "pm.test('L\'exercice a un id', function() {", + " pm.expect(jsonData.id).to.be.a('string');", + "});", + "pm.environment.set('exerciceId', jsonData.id);" + ], + "type": "text/javascript" + } + } + ], + "request": { + "method": "POST", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\n \"name\": \"Pompes\",\n \"description\": \"Exercice de musculation pour les pectoraux\",\n \"target\": 1,\n \"imageUrl\": \"images/pompes.jpg\",\n \"videoUrl\": \"https://www.youtube.com/watch?v=IODxDxX7oi4\"\n}" + }, + "url": { + "raw": "{{catalogApi}}/api/exercices", + "host": [ + "{{catalogApi}}" + ], + "path": [ + "api", + "exercices" + ] + } + } + }, + { + "name": "Récupérer l'exercice par id", + "event": [ + { + "listen": "test", + "script": { + "exec": [ + "var jsonData = pm.response.json();", + "pm.test('Status code is 200', function() {", + " pm.response.to.have.status(200);", + "});", + "pm.test('Nom de l\\'exercice est Pompes', function() {", + " pm.expect(jsonData.name).to.eq('Pompes');", + "});" + ], + "type": "text/javascript" + } + } + ], + "request": { + "method": "GET", + "header": [], + "url": { + "raw": "{{catalogApi}}/api/exercices/{{exerciceId}}", + "host": [ + "{{catalogApi}}" + ], + "path": [ + "api", + "exercices", + "{{exerciceId}}" + ] + } + } + }, + { + "name": "Mettre à jour l'exercice", + "event": [ + { + "listen": "test", + "script": { + "exec": [ + "pm.test('Status code is 204', function() {", + " pm.response.to.have.status(204);", + "});" + ], + "type": "text/javascript" + } + } + ], + "request": { + "method": "PUT", + "header": [ + { + "key": "Content-Type", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\n \"id\": \"{{exerciceId}}\",\n \"name\": \"Pompes modifiées\",\n \"description\": \"Exercice modifié\",\n \"target\": 2,\n \"imageUrl\": \"images/pompes_mod.jpg\",\n \"videoUrl\": \"https://www.youtube.com/watch?v=abcd\"\n}" + }, + "url": { + "raw": "{{catalogApi}}/api/exercices/{{exerciceId}}", + "host": [ + "{{catalogApi}}" + ], + "path": [ + "api", + "exercices", + "{{exerciceId}}" + ] + } + } + }, + { + "name": "Vérifier la mise à jour", + "event": [ + { + "listen": "test", + "script": { + "exec": [ + "var jsonData = pm.response.json();", + "pm.test('Status code is 200', function() {", + " pm.response.to.have.status(200);", + "});", + "pm.test('Nom de l\\'exercice est Pompes modifiées', function() {", + " pm.expect(jsonData.name).to.eq('Pompes modifiées');", + "});" + ], + "type": "text/javascript" + } + } + ], + "request": { + "method": "GET", + "header": [], + "url": { + "raw": "{{catalogApi}}/api/exercices/{{exerciceId}}", + "host": [ + "{{catalogApi}}" + ], + "path": [ + "api", + "exercices", + "{{exerciceId}}" + ] + } + } + }, + { + "name": "Supprimer l'exercice", + "event": [ + { + "listen": "test", + "script": { + "exec": [ + "pm.test('Status code is 204', function() {", + " pm.response.to.have.status(204);", + "});" + ], + "type": "text/javascript" + } + } + ], + "request": { + "method": "DELETE", + "header": [], + "url": { + "raw": "{{catalogApi}}/api/exercices/{{exerciceId}}", + "host": [ + "{{catalogApi}}" + ], + "path": [ + "api", + "exercices", + "{{exerciceId}}" + ] + } + } + }, + { + "name": "Vérifier la suppression", + "event": [ + { + "listen": "test", + "script": { + "exec": [ + "pm.test('Status code is 404', function() {", + " pm.response.to.have.status(404);", + "});" + ], + "type": "text/javascript" + } + } + ], + "request": { + "method": "GET", + "header": [], + "url": { + "raw": "{{catalogApi}}/api/exercices/{{exerciceId}}", + "host": [ + "{{catalogApi}}" + ], + "path": [ + "api", + "exercices", + "{{exerciceId}}" + ] + } + } + } + ], + "variable": [ + { + "key": "catalogApi", + "value": "http://localhost:5000" + } + ] +}