Skip to content
This repository has been archived by the owner on Jul 31, 2024. It is now read-only.

Cleanup of resource validator and scope parser #4452

Merged
merged 7 commits into from
Jun 12, 2020
Merged

Cleanup of resource validator and scope parser #4452

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
e8c1ade
attempt to clarify semantics
brockallen May 29, 2020
53c4e43
another possible improvement?
brockallen May 30, 2020
459e4a8
minor feedback
brockallen Jun 1, 2020
6e20a01
make individual scope validation easier
brockallen Jun 11, 2020
3b197b4
Merge branch 'master' into features/resource_validator_refactor
brockallen Jun 11, 2020
bdad7ae
update other hosts to match resource changes
brockallen Jun 11, 2020
cd967bc
updates from code review/testing
brockallen Jun 12, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 10 additions & 10 deletions src/AspNetIdentity/host/Configuration/ClientsConsole.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ public static IEnumerable<Client> Get()
ClientId = "client",
ClientSecrets = {new Secret("secret".Sha256())},
AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowedScopes = { "scope1", "scope2", IdentityServerConstants.LocalApi.ScopeName}
AllowedScopes = { "resource1.scope1", "resource2.scope1", IdentityServerConstants.LocalApi.ScopeName}
},

///////////////////////////////////////////
Expand Down Expand Up @@ -60,7 +60,7 @@ public static IEnumerable<Client> Get()

AccessTokenType = AccessTokenType.Jwt,
AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowedScopes = { "scope1", "scope2" }
AllowedScopes = { "resource1.scope1", "resource2.scope1" }
},

///////////////////////////////////////////
Expand All @@ -86,7 +86,7 @@ public static IEnumerable<Client> Get()
},

AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowedScopes = { "scope1", "scope2" }
AllowedScopes = { "resource1.scope1", "resource2.scope1" }
},

///////////////////////////////////////////
Expand All @@ -97,7 +97,7 @@ public static IEnumerable<Client> Get()
ClientId = "client.custom",
ClientSecrets = {new Secret("secret".Sha256())},
AllowedGrantTypes = {"custom", "custom.nosubject"},
AllowedScopes = { "scope1", "scope2" }
AllowedScopes = { "resource1.scope1", "resource2.scope1" }
},

///////////////////////////////////////////
Expand All @@ -113,7 +113,7 @@ public static IEnumerable<Client> Get()
{
IdentityServerConstants.StandardScopes.OpenId,
"custom.profile",
"scope1", "scope2"
"resource1.scope1", "resource2.scope1"
}
},

Expand All @@ -130,7 +130,7 @@ public static IEnumerable<Client> Get()
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Email,
"scope1", "scope2"
"resource1.scope1", "resource2.scope1"
}
},

Expand All @@ -151,7 +151,7 @@ public static IEnumerable<Client> Get()
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"scope1", "scope2"
"resource1.scope1", "resource2.scope1"
}
},
///////////////////////////////////////////
Expand All @@ -173,7 +173,7 @@ public static IEnumerable<Client> Get()
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"scope1", "scope2"
"resource1.scope1", "resource2.scope1"
}
},

Expand All @@ -186,7 +186,7 @@ public static IEnumerable<Client> Get()
ClientId = "roclient.reference",
ClientSecrets = {new Secret("secret".Sha256())},
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword,
AllowedScopes = {"scope1", "scope2"},
AllowedScopes = { "resource1.scope1", "resource2.scope1" },
AccessTokenType = AccessTokenType.Reference
},

Expand All @@ -208,7 +208,7 @@ public static IEnumerable<Client> Get()
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"scope1", "scope2"
"resource1.scope1", "resource2.scope1"
}
}
};
Expand Down
4 changes: 2 additions & 2 deletions src/AspNetIdentity/host/Configuration/ClientsWeb.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ public static class ClientsWeb
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"scope1",
"scope2",
"resource1.scope1",
"resource2.scope1",
"transaction"
};

Expand Down
25 changes: 12 additions & 13 deletions src/AspNetIdentity/host/Configuration/Resources.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,16 +28,20 @@ public class Resources
public static readonly IEnumerable<ApiScope> ApiScopes =
new[]
{
// local feature
// local API scope
new ApiScope(LocalApi.ScopeName),

// some generic scopes
new ApiScope("scope1"),
new ApiScope("scope2"),
// resource specific scopes
new ApiScope("resource1.scope1"),
new ApiScope("resource2.scope1"),

// a scope without resource association
new ApiScope("scope3"),

// a scope shared by multiple resources
new ApiScope("shared.scope"),

// used as a dynamic scope
// a parameterized scope
new ApiScope("transaction", "Transaction")
{
Description = "Some Transaction"
Expand All @@ -48,15 +52,11 @@ public class Resources
public static readonly IEnumerable<ApiResource> ApiResources =
new[]
{
// simple version with ctor
new ApiResource("resource1", "Resource 1")
{
// this is needed for introspection when using reference tokens
ApiSecrets = { new Secret("secret".Sha256()) },

//AllowedSigningAlgorithms = { "RS256", "ES256" }

Scopes = { "scope1", "shared.scope" }
Scopes = { "resource1.scope1", "shared.scope" }
},

// expanded version if more control is needed
Expand All @@ -67,15 +67,14 @@ public class Resources
new Secret("secret".Sha256())
},

//AllowedSigningAlgorithms = { "PS256", "ES256", "RS256" },

// additional claims to put into access token
UserClaims =
{
JwtClaimTypes.Name,
JwtClaimTypes.Email
},

Scopes = { "scope2", "shared.scope" }
Scopes = { "resource2.scope1", "shared.scope" }
}
};
}
Expand Down
14 changes: 7 additions & 7 deletions src/AspNetIdentity/host/Quickstart/Consent/ConsentController.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ private async Task<ProcessConsentResult> ProcessConsent(ConsentInputModel model)
grantedConsent = new ConsentResponse { Error = AuthorizationError.AccessDenied };

// emit event
await _events.RaiseAsync(new ConsentDeniedEvent(User.GetSubjectId(), request.Client.ClientId, request.ValidatedResources.ScopeValues));
await _events.RaiseAsync(new ConsentDeniedEvent(User.GetSubjectId(), request.Client.ClientId, request.ValidatedResources.RawScopeValues));
}
// user clicked 'yes' - validate the data
else if (model?.Button == "yes")
Expand All @@ -131,7 +131,7 @@ private async Task<ProcessConsentResult> ProcessConsent(ConsentInputModel model)
};

// emit event
await _events.RaiseAsync(new ConsentGrantedEvent(User.GetSubjectId(), request.Client.ClientId, request.ValidatedResources.ScopeValues, grantedConsent.ScopesValuesConsented, grantedConsent.RememberConsent));
await _events.RaiseAsync(new ConsentGrantedEvent(User.GetSubjectId(), request.Client.ClientId, request.ValidatedResources.RawScopeValues, grantedConsent.ScopesValuesConsented, grantedConsent.RememberConsent));
}
else
{
Expand Down Expand Up @@ -199,10 +199,10 @@ private ConsentViewModel CreateConsentViewModel(
var apiScopes = new List<ScopeViewModel>();
foreach(var parsedScope in request.ValidatedResources.ParsedScopes)
{
var apiScope = request.ValidatedResources.Resources.FindApiScope(parsedScope.Name);
var apiScope = request.ValidatedResources.Resources.FindApiScope(parsedScope.ParsedName);
if (apiScope != null)
{
var scopeVm = CreateScopeViewModel(parsedScope, apiScope, vm.ScopesConsented.Contains(parsedScope.Value) || model == null);
var scopeVm = CreateScopeViewModel(parsedScope, apiScope, vm.ScopesConsented.Contains(parsedScope.RawValue) || model == null);
apiScopes.Add(scopeVm);
}
}
Expand Down Expand Up @@ -231,14 +231,14 @@ private ScopeViewModel CreateScopeViewModel(IdentityResource identity, bool chec
public ScopeViewModel CreateScopeViewModel(ParsedScopeValue parsedScopeValue, ApiScope apiScope, bool check)
{
var displayName = apiScope.DisplayName ?? apiScope.Name;
if (!String.IsNullOrWhiteSpace(parsedScopeValue.ParameterValue))
if (!String.IsNullOrWhiteSpace(parsedScopeValue.ParsedParameter))
{
displayName += ":" + parsedScopeValue.ParameterValue;
displayName += ":" + parsedScopeValue.ParsedParameter;
}

return new ScopeViewModel
{
Value = parsedScopeValue.Value,
Value = parsedScopeValue.RawValue,
DisplayName = displayName,
Description = apiScope.Description,
Emphasize = apiScope.Emphasize,
Expand Down
2 changes: 1 addition & 1 deletion src/AspNetIdentity/host/Quickstart/Device/DeviceAuthorizationInputModel.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.


namespace IdentityServer4.Quickstart.UI.Device
namespace IdentityServer4.Quickstart.UI
{
public class DeviceAuthorizationInputModel : ConsentInputModel
{
Expand Down
2 changes: 1 addition & 1 deletion src/AspNetIdentity/host/Quickstart/Device/DeviceAuthorizationViewModel.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.


namespace IdentityServer4.Quickstart.UI.Device
namespace IdentityServer4.Quickstart.UI
{
public class DeviceAuthorizationViewModel : ConsentViewModel
{
Expand Down
12 changes: 6 additions & 6 deletions src/AspNetIdentity/host/Quickstart/Device/DeviceController.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;

namespace IdentityServer4.Quickstart.UI.Device
namespace IdentityServer4.Quickstart.UI
{
[Authorize]
[SecurityHeaders]
Expand Down Expand Up @@ -91,7 +91,7 @@ private async Task<ProcessConsentResult> ProcessConsent(DeviceAuthorizationInput
grantedConsent = new ConsentResponse { Error = AuthorizationError.AccessDenied };

// emit event
await _events.RaiseAsync(new ConsentDeniedEvent(User.GetSubjectId(), request.Client.ClientId, request.ValidatedResources.ScopeValues));
await _events.RaiseAsync(new ConsentDeniedEvent(User.GetSubjectId(), request.Client.ClientId, request.ValidatedResources.RawScopeValues));
}
// user clicked 'yes' - validate the data
else if (model.Button == "yes")
Expand All @@ -113,7 +113,7 @@ private async Task<ProcessConsentResult> ProcessConsent(DeviceAuthorizationInput
};

// emit event
await _events.RaiseAsync(new ConsentGrantedEvent(User.GetSubjectId(), request.Client.ClientId, request.ValidatedResources.ScopeValues, grantedConsent.ScopesValuesConsented, grantedConsent.RememberConsent));
await _events.RaiseAsync(new ConsentGrantedEvent(User.GetSubjectId(), request.Client.ClientId, request.ValidatedResources.RawScopeValues, grantedConsent.ScopesValuesConsented, grantedConsent.RememberConsent));
}
else
{
Expand Down Expand Up @@ -175,10 +175,10 @@ private DeviceAuthorizationViewModel CreateConsentViewModel(string userCode, Dev
var apiScopes = new List<ScopeViewModel>();
foreach (var parsedScope in request.ValidatedResources.ParsedScopes)
{
var apiScope = request.ValidatedResources.Resources.FindApiScope(parsedScope.Name);
var apiScope = request.ValidatedResources.Resources.FindApiScope(parsedScope.ParsedName);
if (apiScope != null)
{
var scopeVm = CreateScopeViewModel(parsedScope, apiScope, vm.ScopesConsented.Contains(parsedScope.Value) || model == null);
var scopeVm = CreateScopeViewModel(parsedScope, apiScope, vm.ScopesConsented.Contains(parsedScope.RawValue) || model == null);
apiScopes.Add(scopeVm);
}
}
Expand Down Expand Up @@ -208,7 +208,7 @@ public ScopeViewModel CreateScopeViewModel(ParsedScopeValue parsedScopeValue, Ap
{
return new ScopeViewModel
{
Value = parsedScopeValue.Value,
Value = parsedScopeValue.RawValue,
// todo: use the parsed scope value in the display?
DisplayName = apiScope.DisplayName ?? apiScope.Name,
Description = apiScope.Description,
Expand Down
2 changes: 1 addition & 1 deletion src/AspNetIdentity/host/Views/Device/UserCodeConfirmation.cshtml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
@model IdentityServer4.Quickstart.UI.Device.DeviceAuthorizationViewModel
@model DeviceAuthorizationViewModel

<div class="page-device-confirmation">
<div class="lead">
Expand Down
35 changes: 0 additions & 35 deletions src/EntityFramework/host/Extensions/ExtensionGrantValidator.cs
View file
Open in desktop

This file was deleted.

35 changes: 0 additions & 35 deletions src/EntityFramework/host/Extensions/NoSubjectExtensionGrantValidator.cs
View file
Open in desktop

This file was deleted.

Loading