Merge pull request #90 from damienbod/Update-IdentityServer4-V4

Update identity server4 v4

Author: damienbod

Changelog.md

@@ -2,6 +2,9 @@
 
 [Readme](https://github.com/damienbod/IdentityServer4AspNetCoreIdentityTemplate/blob/master/README.md) 
 
+2020-06-26 5.0.0
+- Updated to IdentityServer4 V4, updated packages
+
 2020-05-06 4.0.6
 - Updated FIDO2 to 1.1.0
 - Updating Nuget packages, npm packages

README.md

@@ -53,7 +53,7 @@ dotnet new -i IdentityServer4AspNetCoreIdentityTemplate
 Locally built nupkg:
 
 ```
-dotnet new -i IdentityServer4AspNetCoreIdentityTemplate.4.0.6.nupkg
+dotnet new -i IdentityServer4AspNetCoreIdentityTemplate.5.0.0.nupkg
 ```
 
 Local folder:

content/IdentityServer4AspNetCoreIdentityTemplate.nuspec

@@ -2,7 +2,7 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2012/06/nuspec.xsd">
 	<metadata>
 		<id>IdentityServer4AspNetCoreIdentityTemplate</id>
-		<version>4.0.6</version>
+		<version>5.0.0</version>
 		<title>IdentityServer4.Identity.Template</title>
 		<license type="file">LICENSE</license>
 		<description>
@@ -17,7 +17,7 @@
 		<requireLicenseAcceptance>false</requireLicenseAcceptance>
 		<copyright>2020 damienbod</copyright>
 		<summary>This template provides a simle getting started for IdentityServer4 with Identity. Identity is Localized and the UI uses Bootstrap 4, Remove AllowAnonymous from the logout</summary>
-		<releaseNotes>Same Site fix for Anti forgery cookie, Language Cookie add Same Site + Secure, Init language selection fix</releaseNotes>
+		<releaseNotes>Updated to IdentityServer4 V4, updated packages</releaseNotes>
 		<repository type="git" url="https://github.com/damienbod/IdentityServer4AspNetCoreIdentityTemplate" />
 		<packageTypes>
 			<packageType name="Template" />

content/StsServerIdentity/Config.cs

@@ -19,26 +19,34 @@ public static IEnumerable<IdentityResource> GetIdentityResources()
             };
         }
 
+        public static IEnumerable<ApiScope> GetApiScopes()
+        {
+            return new List<ApiScope>
+            {
+                //new ApiScope("dataEventRecords", "Scope for the dataEventRecords ApiResource"),
+                //new ApiScope("securedFiles",  "Scope for the securedFiles ApiResource")
+            };
+        }
+
         public static IEnumerable<ApiResource> GetApiResources()
         {
             return new List<ApiResource>
             {
-                // example code
-                //new ApiResource("dataEventRecords")
+                //new ApiResource("dataEventRecordsApi")
                 //{
                 //    ApiSecrets =
                 //    {
                 //        new Secret("dataEventRecordsSecret".Sha256())
                 //    },
-                //    Scopes =
+                //    Scopes = new List<string> { "dataEventRecords" }
+                //},
+                //new ApiResource("securedFilesApi")
+                //{
+                //    ApiSecrets =
                 //    {
-                //        new Scope
-                //        {
-                //            Name = "dataeventrecords",
-                //            DisplayName = "Scope for the dataEventRecords ApiResource"
-                //        }
+                //        new Secret("securedFilesSecret".Sha256())
                 //    },
-                //    UserClaims = { "role", "admin", "user", "dataEventRecords", "dataEventRecords.admin", "dataEventRecords.user" }
+                //    Scopes = new List<string> { "securedFiles" }
                 //}
             };
         }

content/StsServerIdentity/Controllers/AccountController.cs

@@ -11,15 +11,14 @@
 using StsServerIdentity.Models;
 using IdentityServer4.Services;
 using IdentityServer4.Stores;
-using IdentityServer4.Models;
 using IdentityModel;
 using IdentityServer4;
 using IdentityServer4.Extensions;
-using System.Globalization;
 using StsServerIdentity.Services;
 using Microsoft.Extensions.Localization;
 using StsServerIdentity.Resources;
 using System.Reflection;
+using Microsoft.AspNetCore.Authentication;
 
 namespace StsServerIdentity.Controllers
 {
@@ -35,6 +34,8 @@ public class AccountController : Controller
         private readonly IClientStore _clientStore;
         private readonly IPersistedGrantService _persistedGrantService;
         private readonly IStringLocalizer _sharedLocalizer;
+        private readonly IAuthenticationSchemeProvider _schemeProvider;
+        private readonly IEventService _events;
 
         public AccountController(
             UserManager<ApplicationUser> userManager,
@@ -45,7 +46,10 @@ public AccountController(
             IIdentityServerInteractionService interaction,
             IClientStore clientStore,
             IStringLocalizerFactory factory,
-            Fido2Storage fido2Storage)
+            Fido2Storage fido2Storage,
+            IAuthenticationSchemeProvider schemeProvider,
+            IEventService events)
+
         {
             _fido2Storage = fido2Storage;
             _userManager = userManager;
@@ -55,30 +59,24 @@ public AccountController(
             _logger = loggerFactory.CreateLogger<AccountController>();
             _interaction = interaction;
             _clientStore = clientStore;
+            _schemeProvider = schemeProvider;
+            _events = events;
 
             var type = typeof(SharedResource);
             var assemblyName = new AssemblyName(type.GetTypeInfo().Assembly.FullName);
             _sharedLocalizer = factory.Create("SharedResource", assemblyName.Name);
         }
 
-        //
-        // GET: /Account/Login
         [HttpGet]
         [AllowAnonymous]
-        public async Task<IActionResult> Login(string returnUrl = null)
+        public async Task<IActionResult> Login(string returnUrl)
         {
-            var context = await _interaction.GetAuthorizationContextAsync(returnUrl);
-            if (context?.IdP != null)
-            {
-                // if IdP is passed, then bypass showing the login screen
-                return ExternalLogin(context.IdP, returnUrl);
-            }
+            // build a model so we know what to show on the login page
+            var vm = await BuildLoginViewModelAsync(returnUrl);
 
-            var vm = await BuildLoginViewModelAsync(returnUrl, context);
-
-            if (vm.EnableLocalLogin == false && vm.ExternalProviders.Count() == 1)
+            if (vm.IsExternalLoginOnly)
             {
-                // only one option for logging in
+                // we only have one option for logging in and it's an external provider
                 return ExternalLogin(vm.ExternalProviders.First().AuthenticationScheme, returnUrl);
             }
 
@@ -168,76 +166,19 @@ public IActionResult ErrorEnable2FA()
             return View();
         }
 
-        private async Task<LoginViewModel> BuildLoginViewModelAsync(string returnUrl, AuthorizationRequest context)
-        {
-            var loginProviders = (await _signInManager.GetExternalAuthenticationSchemesAsync()).ToList();
-            var providers = loginProviders
-                .Where(x => x.DisplayName != null)
-                .Select(x => new ExternalProvider
-                {
-                    DisplayName = x.DisplayName,
-                    AuthenticationScheme = x.Name
-                });
-
-            var allowLocal = true;
-            if (context?.ClientId != null)
-            {
-                var client = await _clientStore.FindEnabledClientByIdAsync(context.ClientId);
-                if (client != null)
-                {
-                    allowLocal = client.EnableLocalLogin;
-
-                    if (client.IdentityProviderRestrictions != null && client.IdentityProviderRestrictions.Any())
-                    {
-                        providers = providers.Where(provider => client.IdentityProviderRestrictions.Contains(provider.AuthenticationScheme));
-                    }
-                }
-            }
-
-            return new LoginViewModel
-            {
-                EnableLocalLogin = allowLocal,
-                ReturnUrl = returnUrl,
-                Email = context?.LoginHint,
-                ExternalProviders = providers.ToArray()
-            };
-        }
-
-        private async Task<LoginViewModel> BuildLoginViewModelAsync(LoginInputModel model)
-        {
-            var context = await _interaction.GetAuthorizationContextAsync(model.ReturnUrl);
-            var vm = await BuildLoginViewModelAsync(model.ReturnUrl, context);
-            vm.Email = model.Email;
-            vm.RememberLogin = model.RememberLogin;
-            return vm;
-        }
-
-        /// <summary>
-        /// Show logout page
-        /// </summary>
         [HttpGet]
         public async Task<IActionResult> Logout(string logoutId)
         {
-            if (User.Identity.IsAuthenticated == false)
-            {
-                // if the user is not authenticated, then just show logged out page
-                return await Logout(new LogoutViewModel { LogoutId = logoutId });
-            }
+            // build a model so the logout page knows what to display
+            var vm = await BuildLogoutViewModelAsync(logoutId);
 
-            var context = await _interaction.GetLogoutContextAsync(logoutId);
-            if (context?.ShowSignoutPrompt == false)
+            if (vm.ShowLogoutPrompt == false)
             {
-                // it's safe to automatically sign-out
-                return await Logout(new LogoutViewModel { LogoutId = logoutId });
+                // if the request for logout was properly authenticated from IdentityServer, then
+                // we don't need to show the prompt and can just log the user out directly.
+                return await Logout(vm);
             }
 
-            // show the logout prompt. this prevents attacks where the user
-            // is automatically signed out by another malicious web page.
-            var vm = new LogoutViewModel
-            {
-                LogoutId = logoutId
-            };
-
             return View(vm);
         }
 
@@ -283,11 +224,14 @@ public async Task<IActionResult> Logout(LogoutViewModel model)
 
             var vm = new LoggedOutViewModel
             {
+                AutomaticRedirectAfterSignOut = AccountOptions.AutomaticRedirectAfterSignOut,
                 PostLogoutRedirectUri = logout?.PostLogoutRedirectUri,
-                ClientName = logout?.ClientId,
-                SignOutIframeUrl = logout?.SignOutIFrameUrl
+                ClientName = string.IsNullOrEmpty(logout?.ClientName) ? logout?.ClientId : logout?.ClientName,
+                SignOutIframeUrl = logout?.SignOutIFrameUrl,
+                LogoutId = model.LogoutId
             };
 
+
             await _persistedGrantService.RemoveAllGrantsAsync(subjectId, "angular2client");
 
             return View("LoggedOut", vm);
@@ -678,6 +622,133 @@ public async Task<IActionResult> VerifyCode(VerifyCodeViewModel model)
             }
         }
 
+        private async Task<LoginViewModel> BuildLoginViewModelAsync(string returnUrl)
+        {
+            var context = await _interaction.GetAuthorizationContextAsync(returnUrl);
+            if (context?.IdP != null && await _schemeProvider.GetSchemeAsync(context.IdP) != null)
+            {
+                var local = context.IdP == IdentityServer4.IdentityServerConstants.LocalIdentityProvider;
+
+                // this is meant to short circuit the UI and only trigger the one external IdP
+                var vm = new LoginViewModel
+                {
+                    EnableLocalLogin = local,
+                    ReturnUrl = returnUrl,
+                    Email = context?.LoginHint,
+                };
+
+                if (!local)
+                {
+                    vm.ExternalProviders = new[] { new ExternalProvider { AuthenticationScheme = context.IdP } };
+                }
+
+                return vm;
+            }
+
+            var schemes = await _schemeProvider.GetAllSchemesAsync();
+
+            var providers = schemes
+                .Where(x => x.DisplayName != null)
+                .Select(x => new ExternalProvider
+                {
+                    DisplayName = x.DisplayName ?? x.Name,
+                    AuthenticationScheme = x.Name
+                }).ToList();
+
+            var allowLocal = true;
+            if (context?.Client.ClientId != null)
+            {
+                var client = await _clientStore.FindEnabledClientByIdAsync(context.Client.ClientId);
+                if (client != null)
+                {
+                    allowLocal = client.EnableLocalLogin;
+
+                    if (client.IdentityProviderRestrictions != null && client.IdentityProviderRestrictions.Any())
+                    {
+                        providers = providers.Where(provider => client.IdentityProviderRestrictions.Contains(provider.AuthenticationScheme)).ToList();
+                    }
+                }
+            }
+
+            return new LoginViewModel
+            {
+                AllowRememberLogin = AccountOptions.AllowRememberLogin,
+                EnableLocalLogin = allowLocal && AccountOptions.AllowLocalLogin,
+                ReturnUrl = returnUrl,
+                Email = context?.LoginHint,
+                ExternalProviders = providers.ToArray()
+            };
+        }
+
+        private async Task<LoginViewModel> BuildLoginViewModelAsync(LoginInputModel model)
+        {
+            var vm = await BuildLoginViewModelAsync(model.ReturnUrl);
+            vm.Email = model.Email;
+            vm.RememberLogin = model.RememberLogin;
+            return vm;
+        }
+
+        private async Task<LogoutViewModel> BuildLogoutViewModelAsync(string logoutId)
+        {
+            var vm = new LogoutViewModel { LogoutId = logoutId, ShowLogoutPrompt = AccountOptions.ShowLogoutPrompt };
+
+            if (User?.Identity.IsAuthenticated != true)
+            {
+                // if the user is not authenticated, then just show logged out page
+                vm.ShowLogoutPrompt = false;
+                return vm;
+            }
+
+            var context = await _interaction.GetLogoutContextAsync(logoutId);
+            if (context?.ShowSignoutPrompt == false)
+            {
+                // it's safe to automatically sign-out
+                vm.ShowLogoutPrompt = false;
+                return vm;
+            }
+
+            // show the logout prompt. this prevents attacks where the user
+            // is automatically signed out by another malicious web page.
+            return vm;
+        }
+
+        private async Task<LoggedOutViewModel> BuildLoggedOutViewModelAsync(string logoutId)
+        {
+            // get context information (client name, post logout redirect URI and iframe for federated signout)
+            var logout = await _interaction.GetLogoutContextAsync(logoutId);
+
+            var vm = new LoggedOutViewModel
+            {
+                AutomaticRedirectAfterSignOut = AccountOptions.AutomaticRedirectAfterSignOut,
+                PostLogoutRedirectUri = logout?.PostLogoutRedirectUri,
+                ClientName = string.IsNullOrEmpty(logout?.ClientName) ? logout?.ClientId : logout?.ClientName,
+                SignOutIframeUrl = logout?.SignOutIFrameUrl,
+                LogoutId = logoutId
+            };
+
+            if (User?.Identity.IsAuthenticated == true)
+            {
+                var idp = User.FindFirst(JwtClaimTypes.IdentityProvider)?.Value;
+                if (idp != null && idp != IdentityServer4.IdentityServerConstants.LocalIdentityProvider)
+                {
+                    var providerSupportsSignout = await HttpContext.GetSchemeSupportsSignOutAsync(idp);
+                    if (providerSupportsSignout)
+                    {
+                        if (vm.LogoutId == null)
+                        {
+                            // if there's no current logout context, we need to create one
+                            // this captures necessary info from the current logged in user
+                            // before we signout and redirect away to the external IdP for signout
+                            vm.LogoutId = await _interaction.CreateLogoutContextAsync();
+                        }
+
+                        vm.ExternalAuthenticationScheme = idp;
+                    }
+                }
+            }
+
+            return vm;
+        }
         #region Helpers
 
         private void AddErrors(IdentityResult result)