re-working claims for aspnet core identity integration and backwards compat

2024-11-25 12:45:18 +01:00 · 2017-01-11 21:46:36 -05:00 · 2017-01-11 21:46:36 -05:00 · 038c98cfaf
commit 038c98cfaf
parent 54711e634b
8 changed files with 35 additions and 16 deletions
--- a/src/Api/Controllers/AccountsController.cs
+++ b/src/Api/Controllers/AccountsController.cs
@ -64,6 +64,7 @@ namespace Bit.Api.Controllers
        [HttpPost("email-token")]
        public async Task PostEmailToken([FromBody]EmailTokenRequestModel model)
        {
            _currentContext.User = await _userService.GetUserByIdAsync(_userManager.GetUserId(User));
            if(!await _userManager.CheckPasswordAsync(_currentContext.User, model.MasterPasswordHash))
            {
                await Task.Delay(2000);
@ -151,10 +152,11 @@ namespace Bit.Api.Controllers
        }
        [HttpGet("profile")]
-        public Task<ProfileResponseModel> GetProfile()
+        public async Task<ProfileResponseModel> GetProfile()
        {
            _currentContext.User = await _userService.GetUserByIdAsync(_userManager.GetUserId(User));
            var response = new ProfileResponseModel(_currentContext.User);
-            return Task.FromResult(response);
+            return response;
        }
        [HttpPut("profile")]
@ -165,7 +167,7 @@ namespace Bit.Api.Controllers
            var response = new ProfileResponseModel(_currentContext.User);
            return response;
-        }                      
+        }
        [HttpGet("two-factor")]
        public async Task<TwoFactorResponseModel> GetTwoFactor(string masterPasswordHash, TwoFactorProviderType provider)
--- a/src/Api/Controllers/AliveController.cs
+++ b/src/Api/Controllers/AliveController.cs
@ -16,7 +16,7 @@ namespace Bit.Api.Controllers
        [HttpGet("claims")]
        public IActionResult Claims()
        {
-            return new JsonResult(User.Claims.Select(c => new { c.Type, c.Value }));
+            return new JsonResult(User?.Claims?.Select(c => new { c.Type, c.Value }));
        }
    }
 }
--- a/src/Api/Startup.cs
+++ b/src/Api/Startup.cs
@ -28,7 +28,6 @@ using Bit.Api.Middleware;
 using IdentityServer4.Validation;
 using IdentityServer4.Services;
 using IdentityModel.AspNetCore.OAuth2Introspection;
 using Microsoft.AspNetCore.Authorization.Infrastructure;
 namespace Bit.Api
 {
@ -89,7 +88,7 @@ namespace Bit.Api
            services.AddIdentityServer()
                // TODO: Add proper signing creds
                .AddTemporarySigningCredential()
-                .AddInMemoryApiResources(Resources.GetApiResources())
+                .AddInMemoryApiResources(ApiResources.GetApiResources())
                .AddInMemoryClients(Clients.GetClients());
            services.AddSingleton<IResourceOwnerPasswordValidator, ResourceOwnerPasswordValidator>();
            services.AddSingleton<IProfileService, ProfileService>();
--- a/src/Core/Identity/ApiResources.cs
+++ b/src/Core/Identity/ApiResources.cs
@ -1,18 +1,19 @@
 using IdentityServer4.Models;
 using System.Collections.Generic;
 using System.Security.Claims;
 namespace Bit.Core.Identity
 {
-    public class Resources
+    public class ApiResources
    {
        public static IEnumerable<ApiResource> GetApiResources()
        {
            return new List<ApiResource>
            {
                new ApiResource("api", "Vault API", new string[] {
-                    "authmethod",
+                    ClaimTypes.AuthenticationMethod,
-                    "nameid",
+                    ClaimTypes.NameIdentifier,
-                    "email",
+                    ClaimTypes.Email,
                    "securitystamp"
                })
            };
--- a/src/Core/Identity/ProfileService.cs
+++ b/src/Core/Identity/ProfileService.cs
@ -21,7 +21,7 @@ namespace Bit.Core.Identity
        public Task GetProfileDataAsync(ProfileDataRequestContext context)
        {
-            context.AddFilteredClaims(context.IssuedClaims);
+            context.AddFilteredClaims(context.Subject.Claims);
            return Task.FromResult(0);
        }
--- a/src/Core/Identity/ResourceOwnerPasswordValidator.cs
+++ b/src/Core/Identity/ResourceOwnerPasswordValidator.cs
@ -1,7 +1,9 @@
 using Bit.Core.Domains;
 using IdentityServer4.Models;
 using IdentityServer4.Validation;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.Extensions.Options;
 using System.Security.Claims;
 using System.Threading.Tasks;
@ -10,11 +12,14 @@ namespace Bit.Core.Identity
    public class ResourceOwnerPasswordValidator : IResourceOwnerPasswordValidator
    {
        private readonly UserManager<User> _userManager;
        private readonly IdentityOptions _identityOptions;
        public ResourceOwnerPasswordValidator(
-            UserManager<User> userManager)
+            UserManager<User> userManager,
            IOptions<IdentityOptions> optionsAccessor)
        {
            _userManager = userManager;
            _identityOptions = optionsAccessor?.Value ?? new IdentityOptions();
        }
        public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
@ -27,10 +32,10 @@ namespace Bit.Core.Identity
                    context.Result = new GrantValidationResult(user.Id.ToString(), "Application", identityProvider: "bitwarden",
                        claims: new Claim[] {
                            // Deprecated claims for backwards compatability
-                            new Claim("authmethod", "Application"),
+                            new Claim(ClaimTypes.AuthenticationMethod, "Application"),
-                            new Claim("nameid", user.Id.ToString()),
+                            new Claim(_identityOptions.ClaimsIdentity.UserIdClaimType, user.Id.ToString()),
-                            new Claim("email", user.Email.ToString()),
+                            new Claim(_identityOptions.ClaimsIdentity.UserNameClaimType, user.Email.ToString()),
-                            new Claim("securitystamp", user.SecurityStamp)
+                            new Claim(_identityOptions.ClaimsIdentity.SecurityStampClaimType, user.SecurityStamp)
                        });
                    return;
                }
--- a/src/Core/Services/IUserService.cs
+++ b/src/Core/Services/IUserService.cs
@ -8,6 +8,7 @@ namespace Bit.Core.Services
 {
    public interface IUserService
    {
        Task<User> GetUserByIdAsync(string userId);
        Task<User> GetUserByIdAsync(Guid userId);
        Task SaveUserAsync(User user);
        Task<IdentityResult> RegisterUserAsync(User user, string masterPassword);
--- a/src/Core/Services/Implementations/UserService.cs
+++ b/src/Core/Services/Implementations/UserService.cs
@ -57,6 +57,17 @@ namespace Bit.Core.Services
            _passwordValidators = passwordValidators;
        }
        public async Task<User> GetUserByIdAsync(string userId)
        {
            Guid userIdGuid;
            if(!Guid.TryParse(userId, out userIdGuid))
            {
                return null;
            }
            return await _userRepository.GetByIdAsync(userIdGuid);
        }
        public async Task<User> GetUserByIdAsync(Guid userId)
        {
            return await _userRepository.GetByIdAsync(userId);