Introduce Allow*Flow() methods in the client stack to control what gr…

…ant types/response types/response modes/code challenge methods are enabled
mozts2005 · Nov 23, 2022 · d758254 · d758254
1 parent 15c408b
commit d758254
Show file tree

Hide file tree

Showing 26 changed files with 572 additions and 275 deletions.
diff --git a/Directory.Build.targets b/Directory.Build.targets
@@ -43,6 +43,7 @@
     <DefineConstants>$(DefineConstants);SUPPORTS_EPHEMERAL_KEY_SETS</DefineConstants>
     <DefineConstants>$(DefineConstants);SUPPORTS_KEY_DERIVATION_WITH_SPECIFIED_HASH_ALGORITHM</DefineConstants>
     <DefineConstants>$(DefineConstants);SUPPORTS_RSA_KEY_CREATION_WITH_SPECIFIED_SIZE</DefineConstants>
+    <DefineConstants>$(DefineConstants);SUPPORTS_TOHASHSET_LINQ_EXTENSION</DefineConstants>
   </PropertyGroup>
 
   <PropertyGroup

diff --git a/sandbox/OpenIddict.Sandbox.AspNet.Client/Startup.cs b/sandbox/OpenIddict.Sandbox.AspNet.Client/Startup.cs
@@ -82,6 +82,9 @@ private static IContainer CreateContainer()
                     options.SetPostLogoutRedirectionEndpointUris(
                         "/callback/logout/local");
 
+                    // Note: this sample uses the code flow, but you can enable the other flows if necessary.
+                    options.AllowAuthorizationCodeFlow();
+
                     // Register the signing and encryption credentials used to protect
                     // sensitive data like the state tokens produced by OpenIddict.
                     options.AddDevelopmentEncryptionCertificate()

diff --git a/sandbox/OpenIddict.Sandbox.AspNet.Server/Startup.cs b/sandbox/OpenIddict.Sandbox.AspNet.Server/Startup.cs
@@ -159,6 +159,9 @@ private static IContainer CreateContainer()
                     // see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.4.
                     options.SetRedirectionEndpointUris("/callback/login/github");
 
+                    // Note: this sample uses the code flow, but you can enable the other flows if necessary.
+                    options.AllowAuthorizationCodeFlow();
+
                     // Register the signing and encryption credentials used to protect
                     // sensitive data like the state tokens produced by OpenIddict.
                     options.AddDevelopmentEncryptionCertificate()

diff --git a/sandbox/OpenIddict.Sandbox.AspNetCore.Client/Startup.cs b/sandbox/OpenIddict.Sandbox.AspNetCore.Client/Startup.cs
@@ -91,6 +91,9 @@ public void ConfigureServices(IServiceCollection services)
                 options.SetPostLogoutRedirectionEndpointUris(
                     "/callback/logout/local");
 
+                // Note: this sample uses the code flow, but you can enable the other flows if necessary.
+                options.AllowAuthorizationCodeFlow();
+
                 // Register the signing and encryption credentials used to protect
                 // sensitive data like the state tokens produced by OpenIddict.
                 options.AddDevelopmentEncryptionCertificate()
@@ -119,7 +122,7 @@ public void ConfigureServices(IServiceCollection services)
                     Scopes = { Scopes.Email, Scopes.Profile, Scopes.OfflineAccess, "demo_api" },
 
                     RedirectUri = new Uri("https://localhost:44381/callback/login/local", UriKind.Absolute),
-                    PostLogoutRedirectUri = new Uri("https://localhost:44381/callback/logout/local", UriKind.Absolute),
+                    PostLogoutRedirectUri = new Uri("https://localhost:44381/callback/logout/local", UriKind.Absolute)
                 });
 
                 // Register the Web providers integrations.

diff --git a/sandbox/OpenIddict.Sandbox.AspNetCore.Server/Startup.cs b/sandbox/OpenIddict.Sandbox.AspNetCore.Server/Startup.cs
@@ -76,6 +76,9 @@ public void ConfigureServices(IServiceCollection services)
                 // see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics#section-4.4.
                 options.SetRedirectionEndpointUris("/callback/login/github");
 
+                // Note: this sample uses the code flow, but you can enable the other flows if necessary.
+                options.AllowAuthorizationCodeFlow();
+
                 // Register the signing and encryption credentials used to protect
                 // sensitive data like the state tokens produced by OpenIddict.
                 options.AddDevelopmentEncryptionCertificate()

diff --git a/shared/OpenIddict.Extensions/Helpers/OpenIddictHelpers.cs b/shared/OpenIddict.Extensions/Helpers/OpenIddictHelpers.cs
@@ -78,6 +78,19 @@ public static IEnumerable<Type> FindGenericBaseTypes(Type type, Type definition)
         }
     }
 
+#if !SUPPORTS_TOHASHSET_LINQ_EXTENSION
+    /// <summary>
+    /// Creates a new <see cref="HashSet{T}"/> instance and imports the elements present in the specified source.
+    /// </summary>
+    /// <typeparam name="TSource">The type of the elements present in the collection.</typeparam>
+    /// <param name="source">The source collection.</param>
+    /// <param name="comparer">The comparer to use.</param>
+    /// <returns>A new <see cref="HashSet{T}"/> instance and imports the elements present in the specified source.</returns>
+    /// <exception cref="ArgumentNullException">The <paramref name="source"/> is <see langword="null"/>.</exception>
+    public static HashSet<TSource> ToHashSet<TSource>(this IEnumerable<TSource> source, IEqualityComparer<TSource>? comparer)
+        => new(source ?? throw new ArgumentNullException(nameof(source)), comparer);
+#endif
+
     /// <summary>
     /// Adds a query string parameter to the specified <see cref="Uri"/>.
     /// </summary>
@@ -212,7 +225,7 @@ public static ClaimsPrincipal CreateMergedPrincipal(params ClaimsPrincipal?[] pr
         // a user identity, a fake one containing an "unauthenticated" identity (i.e with its
         // AuthenticationType property deliberately left to null) is used to allow the host
         // to return a "successful" authentication result for these delegation-only scenarios.
-        if (!principals.Any(principal => principal?.Identity is ClaimsIdentity { IsAuthenticated: true }))
+        if (!Array.Exists(principals, static principal => principal?.Identity is ClaimsIdentity { IsAuthenticated: true }))
         {
             return new ClaimsPrincipal(new ClaimsIdentity());
         }

diff --git a/src/OpenIddict.Abstractions/OpenIddictResources.resx b/src/OpenIddict.Abstractions/OpenIddictResources.resx
@@ -1151,13 +1151,13 @@ To validate tokens received by custom API endpoints, the OpenIddict validation h
     <value>The specified grant type is not supported.</value>
   </data>
   <data name="ID0297" xml:space="preserve">
-    <value>A common grant type supported by both the client and the server couldn't be negotiated automatically. If the error persists, consider specifying a list of allowed grant types in the client registration and ensure the supported grant types listed in the authorization server configuration are appropriate.</value>
+    <value>A common grant type supported by both the client and the server couldn't be negotiated automatically. Ensure at least one common flow is enabled in the client options. If the error persists, consider specifying a list of allowed grant types in the client registration and ensure the supported grant types listed in the authorization server configuration are appropriate.</value>
   </data>
   <data name="ID0298" xml:space="preserve">
-    <value>A common response type combination supported by both the client and the server couldn't be negotiated automatically. If the error persists, consider specifying a list of allowed response type combinations in the client registration and ensure the supported response type combinations listed in the authorization server configuration are appropriate.</value>
+    <value>A common response type combination supported by both the client and the server couldn't be negotiated automatically. Ensure at least one common flow is enabled in the client options. If the error persists, consider specifying a list of allowed response type combinations in the client registration and ensure the supported response type combinations listed in the authorization server configuration are appropriate.</value>
   </data>
   <data name="ID0299" xml:space="preserve">
-    <value>A common response mode supported by both the client and the server couldn't be negotiated automatically. If the error persists, consider specifying a list of allowed response modes in the client registration and ensure the supported response modes listed in the authorization server configuration are appropriate.</value>
+    <value>A common response mode supported by both the client and the server couldn't be negotiated automatically. Ensure at least one common flow is enabled in the client options. If the error persists, consider specifying a list of allowed response modes in the client registration and ensure the supported response modes listed in the authorization server configuration are appropriate.</value>
   </data>
   <data name="ID0300" xml:space="preserve">
     <value>A redirection URI must be specified in the client registration options when using OpenID Connect.</value>
@@ -1189,7 +1189,7 @@ To apply redirection responses, create a class implementing 'IOpenIddictClientHa
     <value>The specified list of valid token types is not valid.</value>
   </data>
   <data name="ID0309" xml:space="preserve">
-    <value>A grant type must be specified when triggering authentication demands from endpoints that are not managed by the OpenIddict client stack.</value>
+    <value>A grant type must be specified when triggering authentication demands from endpoints that are not managed by the OpenIddict client stack. This error may also indicate that the redirection endpoint was not correctly enabled in the OpenIddict client options.</value>
   </data>
   <data name="ID0310" xml:space="preserve">
     <value>The specified grant type ({0}) is not currently supported for authentication demands.</value>
@@ -1358,6 +1358,29 @@ Alternatively, you can disable the token storage feature by calling 'services.Ad
   <data name="ID0355" xml:space="preserve">
     <value>No issuer was specified in the authentication context.</value>
   </data>
+  <data name="ID0356" xml:space="preserve">
+    <value>The redirection endpoint must be enabled to use the authorization code and implicit flows.</value>
+  </data>
+  <data name="ID0357" xml:space="preserve">
+    <value>At least one encryption key must be registered in the OpenIddict client options when using interactive login or logout flows.
+Consider registering a certificate using 'services.AddOpenIddict().AddClient().AddEncryptionCertificate()' or 'services.AddOpenIddict().AddClient().AddDevelopmentEncryptionCertificate()' or call 'services.AddOpenIddict().AddClient().AddEphemeralEncryptionKey()' to use an ephemeral key.</value>
+  </data>
+  <data name="ID0358" xml:space="preserve">
+    <value>At least one signing key must be registered in the OpenIddict client options when enabling using interactive login or logout flows.
+Consider registering a certificate using 'services.AddOpenIddict().AddClient().AddSigningCertificate()' or 'services.AddOpenIddict().AddClient().AddDevelopmentSigningCertificate()' or call 'services.AddOpenIddict().AddClient().AddEphemeralSigningKey()' to use an ephemeral key.</value>
+  </data>
+  <data name="ID0359" xml:space="preserve">
+    <value>The specified grant type ({0}) has not been enabled in the OpenIddict client options.</value>
+  </data>
+  <data name="ID0360" xml:space="preserve">
+    <value>No grant type enabled in the client options could be found in the list of grant types allowed by the client registration, which typically indicates an invalid configuration. Ensure the 'OpenIddictClientRegistration.GrantTypes' collection contain at least one of the grant types enabled in the client options or leave it empty to allow OpenIddict to negotiate all the enabled grant types.</value>
+  </data>
+  <data name="ID0361" xml:space="preserve">
+    <value>No response type enabled in the client options could be found in the list of response types allowed by the client registration, which typically indicates an invalid configuration. Ensure the 'OpenIddictClientRegistration.ResponseTypes' collection contain at least one of the response types enabled in the client options or leave it empty to allow OpenIddict to negotiate all the enabled response types.</value>
+  </data>
+  <data name="ID0362" xml:space="preserve">
+    <value>No response mode enabled in the client options could be found in the list of response modes allowed by the client registration, which typically indicates an invalid configuration. Ensure the 'OpenIddictClientRegistration.ResponseModes' collection contain at least one of the response modes enabled in the client options or leave it empty to allow OpenIddict to negotiate all the enabled response modes.</value>
+  </data>
   <data name="ID2000" xml:space="preserve">
     <value>The security token is missing.</value>
   </data>