From 26999f749befdb2704edc009bfac46131f426eb9 Mon Sep 17 00:00:00 2001 From: Dominick Baier Date: Wed, 2 Sep 2015 18:06:47 +0200 Subject: [PATCH 1/5] Add "PreserveAccessToken" options --- ...tityServerBearerTokenAuthenticationOptions.cs | 9 +++++++++ ...rBearerTokenValidationAppBuilderExtensions.cs | 1 + ...ntityServerBearerTokenValidationMiddleware.cs | 16 ++++++++++++++++ ...tityServerOAuthBearerAuthenticationOptions.cs | 8 ++++++++ 4 files changed, 34 insertions(+) diff --git a/source/AccessTokenValidation/IdentityServerBearerTokenAuthenticationOptions.cs b/source/AccessTokenValidation/IdentityServerBearerTokenAuthenticationOptions.cs index f8f0f71..857bbfe 100644 --- a/source/AccessTokenValidation/IdentityServerBearerTokenAuthenticationOptions.cs +++ b/source/AccessTokenValidation/IdentityServerBearerTokenAuthenticationOptions.cs @@ -39,6 +39,7 @@ public IdentityServerBearerTokenAuthenticationOptions() : base("Bearer") ValidationMode = ValidationMode.Both; RequiredScopes = Enumerable.Empty(); ValidationResultCacheDuration = TimeSpan.FromMinutes(5); + PreserveAccessToken = true; } /// @@ -128,5 +129,13 @@ public IdentityServerBearerTokenAuthenticationOptions() : base("Bearer") /// The required scopes. /// public IEnumerable RequiredScopes { get; set; } + + /// + /// Gets or sets a value indicating whether to preserve the access token as a claim. + /// + /// + /// true if access token is preserved; otherwise, false. + /// + public bool PreserveAccessToken { get; set; } } } \ No newline at end of file diff --git a/source/AccessTokenValidation/IdentityServerBearerTokenValidationAppBuilderExtensions.cs b/source/AccessTokenValidation/IdentityServerBearerTokenValidationAppBuilderExtensions.cs index 3bfa289..ef0fa45 100644 --- a/source/AccessTokenValidation/IdentityServerBearerTokenValidationAppBuilderExtensions.cs +++ b/source/AccessTokenValidation/IdentityServerBearerTokenValidationAppBuilderExtensions.cs @@ -61,6 +61,7 @@ public static IAppBuilder UseIdentityServerBearerTokenAuthentication(this IAppBu middlewareOptions.TokenProvider = options.TokenProvider; } + middlewareOptions.PreserveAccessToken = options.PreserveAccessToken; app.Use(middlewareOptions); if (options.RequiredScopes.Any()) diff --git a/source/AccessTokenValidation/IdentityServerBearerTokenValidationMiddleware.cs b/source/AccessTokenValidation/IdentityServerBearerTokenValidationMiddleware.cs index 006a4d2..0241748 100644 --- a/source/AccessTokenValidation/IdentityServerBearerTokenValidationMiddleware.cs +++ b/source/AccessTokenValidation/IdentityServerBearerTokenValidationMiddleware.cs @@ -21,6 +21,7 @@ using System; using System.Collections.Generic; using System.Linq; +using System.Security.Claims; using System.Threading.Tasks; using AppFunc = System.Func, System.Threading.Tasks.Task>; @@ -111,6 +112,11 @@ public async Task Invoke(IDictionary environment) } } + if (_options.PreserveAccessToken) + { + PreserveAccessToken(context, token); + } + await _next(environment); } @@ -144,5 +150,15 @@ private async Task GetTokenAsync(OwinContext context) return requestToken; } + + private void PreserveAccessToken(OwinContext context, string token) + { + if (context.Authentication.User != null && + context.Authentication.User.Identity != null && + context.Authentication.User.Identity.IsAuthenticated) + { + context.Authentication.User.Identities.First().AddClaim(new Claim("token", token)); + } + } } } \ No newline at end of file diff --git a/source/AccessTokenValidation/IdentityServerOAuthBearerAuthenticationOptions.cs b/source/AccessTokenValidation/IdentityServerOAuthBearerAuthenticationOptions.cs index 3d3c0f3..adabe39 100644 --- a/source/AccessTokenValidation/IdentityServerOAuthBearerAuthenticationOptions.cs +++ b/source/AccessTokenValidation/IdentityServerOAuthBearerAuthenticationOptions.cs @@ -46,5 +46,13 @@ public class IdentityServerOAuthBearerAuthenticationOptions /// The endpoint validation options. /// public OAuthBearerAuthenticationOptions EndpointValidationOptions { get; set; } + + /// + /// Gets or sets a value indicating whether to preserve the access token as a claim. + /// + /// + /// true if access token is preserved; otherwise, false. + /// + public bool PreserveAccessToken { get; set; } } } \ No newline at end of file From 5b82239e65a45c4ae123cd7779e3521148660303 Mon Sep 17 00:00:00 2001 From: Dominick Baier Date: Wed, 2 Sep 2015 18:24:25 +0200 Subject: [PATCH 2/5] moved preserve call --- ...tyServerBearerTokenValidationMiddleware.cs | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/source/AccessTokenValidation/IdentityServerBearerTokenValidationMiddleware.cs b/source/AccessTokenValidation/IdentityServerBearerTokenValidationMiddleware.cs index 0241748..6b4170c 100644 --- a/source/AccessTokenValidation/IdentityServerBearerTokenValidationMiddleware.cs +++ b/source/AccessTokenValidation/IdentityServerBearerTokenValidationMiddleware.cs @@ -85,7 +85,6 @@ public async Task Invoke(IDictionary environment) context.Set("idsrv:tokenvalidation:token", token); - // seems to be a JWT if (token.Contains('.')) { @@ -99,6 +98,7 @@ public async Task Invoke(IDictionary environment) if (_endpointValidationFunc != null) { await _endpointValidationFunc(environment); + PreserveAccessToken(context, token); return; } } @@ -108,15 +108,11 @@ public async Task Invoke(IDictionary environment) if (_endpointValidationFunc != null) { await _endpointValidationFunc(environment); + PreserveAccessToken(context, token); return; } } - if (_options.PreserveAccessToken) - { - PreserveAccessToken(context, token); - } - await _next(environment); } @@ -153,11 +149,14 @@ private async Task GetTokenAsync(OwinContext context) private void PreserveAccessToken(OwinContext context, string token) { - if (context.Authentication.User != null && - context.Authentication.User.Identity != null && - context.Authentication.User.Identity.IsAuthenticated) + if (_options.PreserveAccessToken) { - context.Authentication.User.Identities.First().AddClaim(new Claim("token", token)); + if (context.Authentication.User != null && + context.Authentication.User.Identity != null && + context.Authentication.User.Identity.IsAuthenticated) + { + context.Authentication.User.Identities.First().AddClaim(new Claim("token", token)); + } } } } From e9832ae28d2fb056d62e5759a5640707694fccb1 Mon Sep 17 00:00:00 2001 From: Dominick Baier Date: Wed, 2 Sep 2015 21:13:41 +0200 Subject: [PATCH 3/5] moved preserve logic to separate MW --- .../AccessTokenValidation.csproj | 1 + ...arerTokenValidationAppBuilderExtensions.cs | 6 +- ...tyServerBearerTokenValidationMiddleware.cs | 15 ---- ...yServerOAuthBearerAuthenticationOptions.cs | 8 --- .../PreserveAccessTokenMiddleware.cs | 69 +++++++++++++++++++ 5 files changed, 75 insertions(+), 24 deletions(-) create mode 100644 source/AccessTokenValidation/PreserveAccessTokenMiddleware.cs diff --git a/source/AccessTokenValidation/AccessTokenValidation.csproj b/source/AccessTokenValidation/AccessTokenValidation.csproj index 9127837..9614af2 100644 --- a/source/AccessTokenValidation/AccessTokenValidation.csproj +++ b/source/AccessTokenValidation/AccessTokenValidation.csproj @@ -98,6 +98,7 @@ + diff --git a/source/AccessTokenValidation/IdentityServerBearerTokenValidationAppBuilderExtensions.cs b/source/AccessTokenValidation/IdentityServerBearerTokenValidationAppBuilderExtensions.cs index ef0fa45..b8b4fac 100644 --- a/source/AccessTokenValidation/IdentityServerBearerTokenValidationAppBuilderExtensions.cs +++ b/source/AccessTokenValidation/IdentityServerBearerTokenValidationAppBuilderExtensions.cs @@ -61,7 +61,6 @@ public static IAppBuilder UseIdentityServerBearerTokenAuthentication(this IAppBu middlewareOptions.TokenProvider = options.TokenProvider; } - middlewareOptions.PreserveAccessToken = options.PreserveAccessToken; app.Use(middlewareOptions); if (options.RequiredScopes.Any()) @@ -69,6 +68,11 @@ public static IAppBuilder UseIdentityServerBearerTokenAuthentication(this IAppBu app.Use(options.RequiredScopes); } + if (options.PreserveAccessToken) + { + app.Use(); + } + return app; } diff --git a/source/AccessTokenValidation/IdentityServerBearerTokenValidationMiddleware.cs b/source/AccessTokenValidation/IdentityServerBearerTokenValidationMiddleware.cs index 6b4170c..30b4b68 100644 --- a/source/AccessTokenValidation/IdentityServerBearerTokenValidationMiddleware.cs +++ b/source/AccessTokenValidation/IdentityServerBearerTokenValidationMiddleware.cs @@ -98,7 +98,6 @@ public async Task Invoke(IDictionary environment) if (_endpointValidationFunc != null) { await _endpointValidationFunc(environment); - PreserveAccessToken(context, token); return; } } @@ -108,7 +107,6 @@ public async Task Invoke(IDictionary environment) if (_endpointValidationFunc != null) { await _endpointValidationFunc(environment); - PreserveAccessToken(context, token); return; } } @@ -146,18 +144,5 @@ private async Task GetTokenAsync(OwinContext context) return requestToken; } - - private void PreserveAccessToken(OwinContext context, string token) - { - if (_options.PreserveAccessToken) - { - if (context.Authentication.User != null && - context.Authentication.User.Identity != null && - context.Authentication.User.Identity.IsAuthenticated) - { - context.Authentication.User.Identities.First().AddClaim(new Claim("token", token)); - } - } - } } } \ No newline at end of file diff --git a/source/AccessTokenValidation/IdentityServerOAuthBearerAuthenticationOptions.cs b/source/AccessTokenValidation/IdentityServerOAuthBearerAuthenticationOptions.cs index adabe39..3d3c0f3 100644 --- a/source/AccessTokenValidation/IdentityServerOAuthBearerAuthenticationOptions.cs +++ b/source/AccessTokenValidation/IdentityServerOAuthBearerAuthenticationOptions.cs @@ -46,13 +46,5 @@ public class IdentityServerOAuthBearerAuthenticationOptions /// The endpoint validation options. /// public OAuthBearerAuthenticationOptions EndpointValidationOptions { get; set; } - - /// - /// Gets or sets a value indicating whether to preserve the access token as a claim. - /// - /// - /// true if access token is preserved; otherwise, false. - /// - public bool PreserveAccessToken { get; set; } } } \ No newline at end of file diff --git a/source/AccessTokenValidation/PreserveAccessTokenMiddleware.cs b/source/AccessTokenValidation/PreserveAccessTokenMiddleware.cs new file mode 100644 index 0000000..e659532 --- /dev/null +++ b/source/AccessTokenValidation/PreserveAccessTokenMiddleware.cs @@ -0,0 +1,69 @@ +/* + * Copyright 2015 Dominick Baier, Brock Allen + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +using Microsoft.Owin; +using System; +using System.Collections.Generic; +using System.Linq; +using System.Security.Claims; +using System.Threading.Tasks; +using AppFunc = System.Func, System.Threading.Tasks.Task>; + +namespace IdentityServer3.AccessTokenValidation +{ + /// + /// Middleware to check for scope claims in access token + /// + internal class PreserveAccessTokenMiddleware + { + private readonly AppFunc _next; + + /// + /// Initializes a new instance of the class. + /// + /// The next middleware. + public PreserveAccessTokenMiddleware(AppFunc next) + { + _next = next; + } + + /// + /// Invokes the middleware. + /// + /// The OWIN environment. + /// + public async Task Invoke(IDictionary env) + { + var context = new OwinContext(env); + + // if no token was sent - no need to validate scopes + var principal = context.Authentication.User; + if (principal == null || principal.Identity == null || !principal.Identity.IsAuthenticated) + { + await _next(env); + return; + } + + var token = context.Get("idsrv:tokenvalidation:token"); + if (!string.IsNullOrWhiteSpace(token)) + { + principal.Identities.First().AddClaim(new Claim("token", token)); + } + + await _next(env); + } + } +} \ No newline at end of file From dfb629a94718d2cf2a482b4cc2e37c2ee7faf206 Mon Sep 17 00:00:00 2001 From: Dominick Baier Date: Thu, 3 Sep 2015 17:39:29 +0200 Subject: [PATCH 4/5] Make PreserveAccessToken default to false --- .../IdentityServerBearerTokenAuthenticationOptions.cs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source/AccessTokenValidation/IdentityServerBearerTokenAuthenticationOptions.cs b/source/AccessTokenValidation/IdentityServerBearerTokenAuthenticationOptions.cs index 857bbfe..0607c2d 100644 --- a/source/AccessTokenValidation/IdentityServerBearerTokenAuthenticationOptions.cs +++ b/source/AccessTokenValidation/IdentityServerBearerTokenAuthenticationOptions.cs @@ -39,7 +39,7 @@ public IdentityServerBearerTokenAuthenticationOptions() : base("Bearer") ValidationMode = ValidationMode.Both; RequiredScopes = Enumerable.Empty(); ValidationResultCacheDuration = TimeSpan.FromMinutes(5); - PreserveAccessToken = true; + PreserveAccessToken = false; } /// @@ -131,7 +131,7 @@ public IdentityServerBearerTokenAuthenticationOptions() : base("Bearer") public IEnumerable RequiredScopes { get; set; } /// - /// Gets or sets a value indicating whether to preserve the access token as a claim. + /// Gets or sets a value indicating whether to preserve the access token as a claim. Defaults to false. /// /// /// true if access token is preserved; otherwise, false. From 3e86ff2e3f5a179f47d5c2dc45a82f7e8b18ec5f Mon Sep 17 00:00:00 2001 From: Dominick Baier Date: Thu, 3 Sep 2015 17:43:20 +0200 Subject: [PATCH 5/5] 2.1.0 --- default.ps1 | 2 +- source/VersionAssemblyInfo.cs | Bin 226 -> 226 bytes 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/default.ps1 b/default.ps1 index 5f84f0f..1e4e8c7 100644 --- a/default.ps1 +++ b/default.ps1 @@ -11,7 +11,7 @@ properties { $nuget_path = "$src_directory\.nuget\nuget.exe" $buildNumber = 0; - $version = "2.0.0.0" + $version = "2.1.0.0" $preRelease = $null } diff --git a/source/VersionAssemblyInfo.cs b/source/VersionAssemblyInfo.cs index 1ceeba718ebcac77b417a816d11a42b335b6d351..9874791c16b15635a4cfb8810de5405cc0872012 100644 GIT binary patch delta 32 kcmaFF_=s^r8KdFE@^BGD20aD?FjivFWQb+pW#D1}0F8PE9smFU delta 32 jcmaFF_=s^r8Kc3(@^BFY20aD{R$|a(h-Khq;9>v(jZFp|