Rename CustomSignInManager to ApplicationSignInManager; Ad Idp claim …

…for correct signout from IS4;
skoruba · Oct 10, 2020 · b701f5f · b701f5f
1 parent e20619d
commit b701f5f
Show file tree

Hide file tree

Showing 4 changed files with 111 additions and 97 deletions.
diff --git a/src/Skoruba.IdentityServer4.Admin/appsettings.json b/src/Skoruba.IdentityServer4.Admin/appsettings.json
@@ -1,89 +1,90 @@
 {
-  "ConnectionStrings": {
-    "ConfigurationDbConnection": "Server=(localdb)\\mssqllocaldb;Database=IdentityServer4Admin;Trusted_Connection=True;MultipleActiveResultSets=true",
-    "PersistedGrantDbConnection": "Server=(localdb)\\mssqllocaldb;Database=IdentityServer4Admin;Trusted_Connection=True;MultipleActiveResultSets=true",
-    "IdentityDbConnection": "Server=(localdb)\\mssqllocaldb;Database=IdentityServer4Admin;Trusted_Connection=True;MultipleActiveResultSets=true",
-    "AdminLogDbConnection": "Server=(localdb)\\mssqllocaldb;Database=IdentityServer4Admin;Trusted_Connection=True;MultipleActiveResultSets=true",
-    "AdminAuditLogDbConnection": "Server=(localdb)\\mssqllocaldb;Database=IdentityServer4Admin;Trusted_Connection=True;MultipleActiveResultSets=true",
-    "DataProtectionDbConnection": "Server=(localdb)\\mssqllocaldb;Database=IdentityServer4Admin;Trusted_Connection=True;MultipleActiveResultSets=true"
-  },
-  "SeedConfiguration": {
-    "ApplySeed": true
-  },
-  "DatabaseMigrationsConfiguration": {
-    "ApplyDatabaseMigrations": true
-  },
-  "DatabaseProviderConfiguration": {
-    "ProviderType": "SqlServer"
-  },
-  "AdminConfiguration": {
-    "PageTitle": "Skoruba IdentityServer4 Admin",
-    "FaviconUri": "~/favicon.ico",
-    "IdentityAdminRedirectUri": "https://localhost:44303/signin-oidc",
-    "IdentityServerBaseUrl": "https://localhost:44310",
-    "IdentityAdminCookieName": "IdentityServerAdmin",
-    "IdentityAdminCookieExpiresUtcHours": 12,
-    "RequireHttpsMetadata": false,
-    "TokenValidationClaimName": "name",
-    "TokenValidationClaimRole": "role",
-    "ClientId": "skoruba_identity_admin",
-    "ClientSecret": "skoruba_admin_client_secret",
-    "OidcResponseType": "code",
-    "Scopes": [
-      "openid",
-      "profile",
-      "email",
-      "roles"
+    "ConnectionStrings": {
+        "ConfigurationDbConnection": "Server=(localdb)\\mssqllocaldb;Database=IdentityServer4Admin;Trusted_Connection=True;MultipleActiveResultSets=true",
+        "PersistedGrantDbConnection": "Server=(localdb)\\mssqllocaldb;Database=IdentityServer4Admin;Trusted_Connection=True;MultipleActiveResultSets=true",
+        "IdentityDbConnection": "Server=(localdb)\\mssqllocaldb;Database=IdentityServer4Admin;Trusted_Connection=True;MultipleActiveResultSets=true",
+        "AdminLogDbConnection": "Server=(localdb)\\mssqllocaldb;Database=IdentityServer4Admin;Trusted_Connection=True;MultipleActiveResultSets=true",
+        "AdminAuditLogDbConnection": "Server=(localdb)\\mssqllocaldb;Database=IdentityServer4Admin;Trusted_Connection=True;MultipleActiveResultSets=true",
+        "DataProtectionDbConnection": "Server=(localdb)\\mssqllocaldb;Database=IdentityServer4Admin;Trusted_Connection=True;MultipleActiveResultSets=true"
+    },
+    "SeedConfiguration": {
+        "ApplySeed": true
+    },
+    "DatabaseMigrationsConfiguration": {
+        "ApplyDatabaseMigrations": true
+    },
+    "DatabaseProviderConfiguration": {
+        "ProviderType": "SqlServer"
+    },
+    "AdminConfiguration": {
+        "PageTitle": "Skoruba IdentityServer4 Admin",
+        "FaviconUri": "~/favicon.ico",
+        "IdentityAdminRedirectUri": "https://localhost:44303/signin-oidc",
+        "IdentityServerBaseUrl": "https://localhost:44310",
+        "IdentityAdminCookieName": "IdentityServerAdmin",
+        "IdentityAdminCookieExpiresUtcHours": 12,
+        "RequireHttpsMetadata": false,
+        "TokenValidationClaimName": "name",
+        "TokenValidationClaimRole": "role",
+        "ClientId": "skoruba_identity_admin",
+        "ClientSecret": "skoruba_admin_client_secret",
+        "OidcResponseType": "code",
+        "Scopes": [
+            "openid",
+            "profile",
+            "email",
+            "roles"
+        ],
+        "AdministrationRole": "SkorubaIdentityAdminAdministrator",
+        "HideUIForMSSqlErrorLogging": false
+    },
+    "CspTrustedDomains": [
+        "fonts.googleapis.com",
+        "fonts.gstatic.com",
+        "www.gravatar.com"
     ],
-    "AdministrationRole": "SkorubaIdentityAdminAdministrator",
-    "HideUIForMSSqlErrorLogging": false
-  },
-  "CspTrustedDomains": [
-    "fonts.googleapis.com",
-    "fonts.gstatic.com"
-  ],
-  "SmtpConfiguration": {
-    "Host": "",
-    "Login": "",
-    "Password": ""
-  },
-  "SendGridConfiguration": {
-    "ApiKey": "",
-    "SourceEmail": "",
-    "SourceName": ""
-  },
-  "AuditLoggingConfiguration": {
-    "Source": "IdentityServer.Admin.Web",
-    "SubjectIdentifierClaim": "sub",
-    "SubjectNameClaim": "name",
-    "IncludeFormVariables": false
-  },
-  "CultureConfiguration": {
-    "Cultures": [],
-    "DefaultCulture": null
-  },
-  "BasePath": "",
-  "IdentityOptions": {
-    "Password": {
-      "RequiredLength": 8
+    "SmtpConfiguration": {
+        "Host": "",
+        "Login": "",
+        "Password": ""
     },
-    "User": {
-      "RequireUniqueEmail": true
+    "SendGridConfiguration": {
+        "ApiKey": "",
+        "SourceEmail": "",
+        "SourceName": ""
+    },
+    "AuditLoggingConfiguration": {
+        "Source": "IdentityServer.Admin.Web",
+        "SubjectIdentifierClaim": "sub",
+        "SubjectNameClaim": "name",
+        "IncludeFormVariables": false
+    },
+    "CultureConfiguration": {
+        "Cultures": [],
+        "DefaultCulture": null
+    },
+    "BasePath": "",
+    "IdentityOptions": {
+        "Password": {
+            "RequiredLength": 8
+        },
+        "User": {
+            "RequireUniqueEmail": true
+        },
+        "SignIn": {
+            "RequireConfirmedAccount": false
+        }
+    },
+    "DataProtectionConfiguration": {
+        "ProtectKeysWithAzureKeyVault": false
     },
-    "SignIn": {
-      "RequireConfirmedAccount": false
-    }
-  },
-  "DataProtectionConfiguration": {
-    "ProtectKeysWithAzureKeyVault": false
-  },
 
-  "AzureKeyVaultConfiguration": {
-    "AzureKeyVaultEndpoint": "",
-    "ClientId": "",
-    "ClientSecret": "",
-    "UseClientCredentials": true,
-    "DataProtectionKeyIdentifier": "",
-    "ReadConfigurationFromKeyVault": false
-  }
+    "AzureKeyVaultConfiguration": {
+        "AzureKeyVaultEndpoint": "",
+        "ClientId": "",
+        "ClientSecret": "",
+        "UseClientCredentials": true,
+        "DataProtectionKeyIdentifier": "",
+        "ReadConfigurationFromKeyVault": false
+    }
 }
diff --git a/src/Skoruba.IdentityServer4.STS.Identity/Controllers/AccountController.cs b/src/Skoruba.IdentityServer4.STS.Identity/Controllers/AccountController.cs
@@ -40,7 +40,7 @@ public class AccountController<TUser, TKey> : Controller
     {
         private readonly UserResolver<TUser> _userResolver;
         private readonly UserManager<TUser> _userManager;
-        private readonly CustomSignInManager<TUser> _signInManager;
+        private readonly ApplicationSignInManager<TUser> _signInManager;
         private readonly IIdentityServerInteractionService _interaction;
         private readonly IClientStore _clientStore;
         private readonly IAuthenticationSchemeProvider _schemeProvider;
@@ -55,7 +55,7 @@ public class AccountController<TUser, TKey> : Controller
         public AccountController(
             UserResolver<TUser> userResolver,
             UserManager<TUser> userManager,
-            CustomSignInManager<TUser> signInManager,
+            ApplicationSignInManager<TUser> signInManager,
             IIdentityServerInteractionService interaction,
             IClientStore clientStore,
             IAuthenticationSchemeProvider schemeProvider,

diff --git a/...S.Identity/Helpers/CustomSignInManager.cs → ...ntity/Helpers/ApplicationSignInManager.cs b/...S.Identity/Helpers/CustomSignInManager.cs → ...ntity/Helpers/ApplicationSignInManager.cs
@@ -1,23 +1,28 @@
-using IdentityModel;
+// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+// File: https://github.com/IdentityServer/IdentityServer4/blob/main/samples/Quickstarts/3_AspNetCoreAndApis/src/IdentityServer/Quickstart/Account/ExternalController.cs
+
+// Modified by Jan Škoruba and J. Arturo
+
+using IdentityModel;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
-using System;
 using System.Collections.Generic;
 using System.Linq;
 using System.Security.Claims;
 using System.Threading.Tasks;
 
 namespace Skoruba.IdentityServer4.STS.Identity.Helpers
 {
-    public class CustomSignInManager<TUser> : SignInManager<TUser>
+    public class ApplicationSignInManager<TUser> : SignInManager<TUser>
         where TUser : class
     {
-        private IHttpContextAccessor _contextAccessor;
+        private readonly IHttpContextAccessor _contextAccessor;
 
-        public CustomSignInManager(UserManager<TUser> userManager,
+        public ApplicationSignInManager(UserManager<TUser> userManager,
             IHttpContextAccessor contextAccessor,
             IUserClaimsPrincipalFactory<TUser> claimsFactory,
             IOptions<IdentityOptions> optionsAccessor,
@@ -31,11 +36,7 @@ public CustomSignInManager(UserManager<TUser> userManager,
 
         public override async Task SignInWithClaimsAsync(TUser user, AuthenticationProperties authenticationProperties, IEnumerable<Claim> additionalClaims)
         {
-            List<Claim> claims = new List<Claim>();
-            foreach (var claim in additionalClaims)
-            {
-                claims.Add(claim);
-            }
+            var claims = additionalClaims.ToList();
 
             var externalResult = await _contextAccessor.HttpContext.AuthenticateAsync(IdentityConstants.ExternalScheme);
             if (externalResult != null && externalResult.Succeeded)
@@ -48,13 +49,21 @@ public override async Task SignInWithClaimsAsync(TUser user, AuthenticationPrope
 
                 if (authenticationProperties != null)
                 {
-                    // if the external provider issued an id_token, we'll keep it for signout
+                    // if the external provider issued an id_token, we'll keep it for sign out
                     var idToken = externalResult.Properties.GetTokenValue("id_token");
                     if (idToken != null)
                     {
                         authenticationProperties.StoreTokens(new[] { new AuthenticationToken { Name = "id_token", Value = idToken } });
                     }
                 }
+
+                var authenticationMethod = claims.FirstOrDefault(x => x.Type == ClaimTypes.AuthenticationMethod);
+                var idp = claims.FirstOrDefault(x => x.Type == JwtClaimTypes.IdentityProvider);
+
+                if (authenticationMethod != null && idp == null)
+                {
+                    claims.Add(new Claim(JwtClaimTypes.IdentityProvider, authenticationMethod.Value));
+                }
             }
 
             await base.SignInWithClaimsAsync(user, authenticationProperties, claims);

diff --git a/src/Skoruba.IdentityServer4.STS.Identity/Helpers/StartupHelpers.cs b/src/Skoruba.IdentityServer4.STS.Identity/Helpers/StartupHelpers.cs
@@ -23,7 +23,9 @@
 using Skoruba.IdentityServer4.STS.Identity.Configuration.Interfaces;
 using Skoruba.IdentityServer4.STS.Identity.Helpers.Localization;
 using System.Linq;
+using IdentityServer4;
 using Microsoft.AspNetCore.Authentication.AzureAD.UI;
+using Microsoft.AspNetCore.Authentication.OAuth;
 using Skoruba.IdentityServer4.Admin.EntityFramework.Interfaces;
 using Skoruba.IdentityServer4.Admin.EntityFramework.MySql.Extensions;
 using Skoruba.IdentityServer4.Admin.EntityFramework.PostgreSQL.Extensions;
@@ -32,6 +34,7 @@
 using Skoruba.IdentityServer4.Admin.EntityFramework.Helpers;
 using Microsoft.AspNetCore.DataProtection.EntityFrameworkCore;
 using Microsoft.AspNetCore.Http;
+using Microsoft.IdentityModel.Tokens;
 using Skoruba.IdentityServer4.Shared.Authentication;
 using Skoruba.IdentityServer4.Shared.Configuration.Identity;
 
@@ -135,6 +138,7 @@ public static void UseSecurityHeaders(this IApplicationBuilder app, IConfigurati
                         options.SelfSrc = true;
                         options.CustomSources = cspTrustedDomains;
                         options.Enabled = true;
+                        options.UnsafeInlineSrc = true;
                     });
                     csp.StyleSources(options =>
                     {
@@ -250,7 +254,7 @@ public static void AddAuthenticationServices<TIdentityDbContext, TUserIdentity,
                 .AddSingleton(registrationConfiguration)
                 .AddSingleton(loginConfiguration)
                 .AddSingleton(identityOptions)
-                .AddScoped<CustomSignInManager<TUserIdentity>>()
+                .AddScoped<ApplicationSignInManager<TUserIdentity>>()
                 .AddScoped<UserResolver<TUserIdentity>>()
                 .AddIdentity<TUserIdentity, TUserIdentityRole>(options => configuration.GetSection(nameof(IdentityOptions)).Bind(options))
                 .AddEntityFrameworkStores<TIdentityDbContext>()