You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
237 lines
8.7 KiB
237 lines
8.7 KiB
// Copyright (c) Duende Software. All rights reserved.
|
|
// See LICENSE in the project root for license information.
|
|
|
|
using Duende.IdentityServer.Events;
|
|
using Duende.IdentityServer.Extensions;
|
|
using Duende.IdentityServer.Models;
|
|
using Duende.IdentityServer.Services;
|
|
using Duende.IdentityServer.Validation;
|
|
using IdentityModel;
|
|
using Microsoft.AspNetCore.Authorization;
|
|
using Microsoft.AspNetCore.Mvc;
|
|
using Microsoft.AspNetCore.Mvc.RazorPages;
|
|
|
|
namespace IdentitySvc.Pages.Consent;
|
|
|
|
[Authorize]
|
|
[SecurityHeaders]
|
|
public class Index : PageModel
|
|
{
|
|
private readonly IIdentityServerInteractionService _interaction;
|
|
private readonly IEventService _events;
|
|
private readonly ILogger<Index> _logger;
|
|
|
|
public Index(
|
|
IIdentityServerInteractionService interaction,
|
|
IEventService events,
|
|
ILogger<Index> logger)
|
|
{
|
|
_interaction = interaction;
|
|
_events = events;
|
|
_logger = logger;
|
|
}
|
|
|
|
public ViewModel View { get; set; } = default!;
|
|
|
|
[BindProperty]
|
|
public InputModel Input { get; set; } = default!;
|
|
|
|
public async Task<IActionResult> OnGet(string? returnUrl)
|
|
{
|
|
if (!await SetViewModelAsync(returnUrl))
|
|
{
|
|
return RedirectToPage("/Home/Error/Index");
|
|
}
|
|
|
|
Input = new InputModel
|
|
{
|
|
ReturnUrl = returnUrl,
|
|
};
|
|
|
|
return Page();
|
|
}
|
|
|
|
public async Task<IActionResult> OnPost()
|
|
{
|
|
// validate return url is still valid
|
|
var request = await _interaction.GetAuthorizationContextAsync(Input.ReturnUrl);
|
|
if (request == null) return RedirectToPage("/Home/Error/Index");
|
|
|
|
ConsentResponse? grantedConsent = null;
|
|
|
|
// user clicked 'no' - send back the standard 'access_denied' response
|
|
if (Input.Button == "no")
|
|
{
|
|
grantedConsent = new ConsentResponse { Error = AuthorizationError.AccessDenied };
|
|
|
|
// emit event
|
|
await _events.RaiseAsync(new ConsentDeniedEvent(User.GetSubjectId(), request.Client.ClientId, request.ValidatedResources.RawScopeValues));
|
|
Telemetry.Metrics.ConsentDenied(request.Client.ClientId, request.ValidatedResources.ParsedScopes.Select(s => s.ParsedName));
|
|
}
|
|
// user clicked 'yes' - validate the data
|
|
else if (Input.Button == "yes")
|
|
{
|
|
// if the user consented to some scope, build the response model
|
|
if (Input.ScopesConsented.Any())
|
|
{
|
|
var scopes = Input.ScopesConsented;
|
|
if (ConsentOptions.EnableOfflineAccess == false)
|
|
{
|
|
scopes = scopes.Where(x => x != Duende.IdentityServer.IdentityServerConstants.StandardScopes.OfflineAccess);
|
|
}
|
|
|
|
grantedConsent = new ConsentResponse
|
|
{
|
|
RememberConsent = Input.RememberConsent,
|
|
ScopesValuesConsented = scopes.ToArray(),
|
|
Description = Input.Description
|
|
};
|
|
|
|
// emit event
|
|
await _events.RaiseAsync(new ConsentGrantedEvent(User.GetSubjectId(), request.Client.ClientId, request.ValidatedResources.RawScopeValues, grantedConsent.ScopesValuesConsented, grantedConsent.RememberConsent));
|
|
Telemetry.Metrics.ConsentGranted(request.Client.ClientId, grantedConsent.ScopesValuesConsented, grantedConsent.RememberConsent);
|
|
var denied = request.ValidatedResources.ParsedScopes.Select(s => s.ParsedName).Except(grantedConsent.ScopesValuesConsented);
|
|
Telemetry.Metrics.ConsentDenied(request.Client.ClientId, denied);
|
|
}
|
|
else
|
|
{
|
|
ModelState.AddModelError("", ConsentOptions.MustChooseOneErrorMessage);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
ModelState.AddModelError("", ConsentOptions.InvalidSelectionErrorMessage);
|
|
}
|
|
|
|
if (grantedConsent != null)
|
|
{
|
|
ArgumentNullException.ThrowIfNull(Input.ReturnUrl, nameof(Input.ReturnUrl));
|
|
|
|
// communicate outcome of consent back to identityserver
|
|
await _interaction.GrantConsentAsync(request, grantedConsent);
|
|
|
|
// redirect back to authorization endpoint
|
|
if (request.IsNativeClient() == true)
|
|
{
|
|
// The client is native, so this change in how to
|
|
// return the response is for better UX for the end user.
|
|
return this.LoadingPage(Input.ReturnUrl);
|
|
}
|
|
|
|
return Redirect(Input.ReturnUrl);
|
|
}
|
|
|
|
// we need to redisplay the consent UI
|
|
if (!await SetViewModelAsync(Input.ReturnUrl))
|
|
{
|
|
return RedirectToPage("/Home/Error/Index");
|
|
}
|
|
return Page();
|
|
}
|
|
|
|
private async Task<bool> SetViewModelAsync(string? returnUrl)
|
|
{
|
|
ArgumentNullException.ThrowIfNull(returnUrl);
|
|
|
|
var request = await _interaction.GetAuthorizationContextAsync(returnUrl);
|
|
if (request != null)
|
|
{
|
|
View = CreateConsentViewModel(request);
|
|
return true;
|
|
}
|
|
else
|
|
{
|
|
_logger.NoConsentMatchingRequest(returnUrl);
|
|
return false;
|
|
}
|
|
}
|
|
|
|
private ViewModel CreateConsentViewModel(AuthorizationRequest request)
|
|
{
|
|
var vm = new ViewModel
|
|
{
|
|
ClientName = request.Client.ClientName ?? request.Client.ClientId,
|
|
ClientUrl = request.Client.ClientUri,
|
|
ClientLogoUrl = request.Client.LogoUri,
|
|
AllowRememberConsent = request.Client.AllowRememberConsent
|
|
};
|
|
|
|
vm.IdentityScopes = request.ValidatedResources.Resources.IdentityResources
|
|
.Select(x => CreateScopeViewModel(x, Input == null || Input.ScopesConsented.Contains(x.Name)))
|
|
.ToArray();
|
|
|
|
var resourceIndicators = request.Parameters.GetValues(OidcConstants.AuthorizeRequest.Resource) ?? Enumerable.Empty<string>();
|
|
var apiResources = request.ValidatedResources.Resources.ApiResources.Where(x => resourceIndicators.Contains(x.Name));
|
|
|
|
var apiScopes = new List<ScopeViewModel>();
|
|
foreach (var parsedScope in request.ValidatedResources.ParsedScopes)
|
|
{
|
|
var apiScope = request.ValidatedResources.Resources.FindApiScope(parsedScope.ParsedName);
|
|
if (apiScope != null)
|
|
{
|
|
var scopeVm = CreateScopeViewModel(parsedScope, apiScope, Input == null || Input.ScopesConsented.Contains(parsedScope.RawValue));
|
|
scopeVm.Resources = apiResources.Where(x => x.Scopes.Contains(parsedScope.ParsedName))
|
|
.Select(x => new ResourceViewModel
|
|
{
|
|
Name = x.Name,
|
|
DisplayName = x.DisplayName ?? x.Name,
|
|
}).ToArray();
|
|
apiScopes.Add(scopeVm);
|
|
}
|
|
}
|
|
if (ConsentOptions.EnableOfflineAccess && request.ValidatedResources.Resources.OfflineAccess)
|
|
{
|
|
apiScopes.Add(CreateOfflineAccessScope(Input == null || Input.ScopesConsented.Contains(Duende.IdentityServer.IdentityServerConstants.StandardScopes.OfflineAccess)));
|
|
}
|
|
vm.ApiScopes = apiScopes;
|
|
|
|
return vm;
|
|
}
|
|
|
|
private static ScopeViewModel CreateScopeViewModel(IdentityResource identity, bool check)
|
|
{
|
|
return new ScopeViewModel
|
|
{
|
|
Name = identity.Name,
|
|
Value = identity.Name,
|
|
DisplayName = identity.DisplayName ?? identity.Name,
|
|
Description = identity.Description,
|
|
Emphasize = identity.Emphasize,
|
|
Required = identity.Required,
|
|
Checked = check || identity.Required
|
|
};
|
|
}
|
|
|
|
private static ScopeViewModel CreateScopeViewModel(ParsedScopeValue parsedScopeValue, ApiScope apiScope, bool check)
|
|
{
|
|
var displayName = apiScope.DisplayName ?? apiScope.Name;
|
|
if (!String.IsNullOrWhiteSpace(parsedScopeValue.ParsedParameter))
|
|
{
|
|
displayName += ":" + parsedScopeValue.ParsedParameter;
|
|
}
|
|
|
|
return new ScopeViewModel
|
|
{
|
|
Name = parsedScopeValue.ParsedName,
|
|
Value = parsedScopeValue.RawValue,
|
|
DisplayName = displayName,
|
|
Description = apiScope.Description,
|
|
Emphasize = apiScope.Emphasize,
|
|
Required = apiScope.Required,
|
|
Checked = check || apiScope.Required
|
|
};
|
|
}
|
|
|
|
private static ScopeViewModel CreateOfflineAccessScope(bool check)
|
|
{
|
|
return new ScopeViewModel
|
|
{
|
|
Value = Duende.IdentityServer.IdentityServerConstants.StandardScopes.OfflineAccess,
|
|
DisplayName = ConsentOptions.OfflineAccessDisplayName,
|
|
Description = ConsentOptions.OfflineAccessDescription,
|
|
Emphasize = true,
|
|
Checked = check
|
|
};
|
|
}
|
|
}
|