mirror of
https://github.com/bitwarden/server.git
synced 2024-11-25 12:45:18 +01:00
WIP: Added IdentityServer4 to API via Bearer2 auth scheme
This commit is contained in:
parent
c99f8efe79
commit
77ca47a266
@ -1,5 +1,6 @@
|
||||
using System;
|
||||
using Microsoft.AspNetCore.Mvc;
|
||||
using System.Linq;
|
||||
|
||||
namespace Bit.Api.Controllers
|
||||
{
|
||||
@ -11,5 +12,11 @@ namespace Bit.Api.Controllers
|
||||
{
|
||||
return DateTime.UtcNow;
|
||||
}
|
||||
|
||||
[HttpGet("claims")]
|
||||
public IActionResult Claims()
|
||||
{
|
||||
return new JsonResult(User.Claims.Select(c => new { c.Type, c.Value }));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -25,6 +25,10 @@ using Microsoft.Net.Http.Headers;
|
||||
using Newtonsoft.Json.Serialization;
|
||||
using AspNetCoreRateLimit;
|
||||
using Bit.Api.Middleware;
|
||||
using IdentityServer4.Validation;
|
||||
using IdentityServer4.Services;
|
||||
using IdentityModel.AspNetCore.OAuth2Introspection;
|
||||
using Microsoft.AspNetCore.Authorization.Infrastructure;
|
||||
|
||||
namespace Bit.Api
|
||||
{
|
||||
@ -81,6 +85,15 @@ namespace Bit.Api
|
||||
services.AddSingleton<IIpPolicyStore, MemoryCacheIpPolicyStore>();
|
||||
services.AddSingleton<IRateLimitCounterStore, MemoryCacheRateLimitCounterStore>();
|
||||
|
||||
// IdentityServer
|
||||
services.AddIdentityServer()
|
||||
// TODO: Add proper signing creds
|
||||
.AddTemporarySigningCredential()
|
||||
.AddInMemoryApiResources(Resources.GetApiResources())
|
||||
.AddInMemoryClients(Clients.GetClients());
|
||||
services.AddSingleton<IResourceOwnerPasswordValidator, ResourceOwnerPasswordValidator>();
|
||||
services.AddSingleton<IProfileService, ProfileService>();
|
||||
|
||||
// Identity
|
||||
services.AddTransient<ILookupNormalizer, LowerInvariantLookupNormalizer>();
|
||||
services.AddJwtBearerIdentity(options =>
|
||||
@ -121,13 +134,19 @@ namespace Bit.Api
|
||||
var jwtIdentityOptions = provider.GetRequiredService<IOptions<JwtBearerIdentityOptions>>().Value;
|
||||
services.AddAuthorization(config =>
|
||||
{
|
||||
config.AddPolicy("Application", new AuthorizationPolicyBuilder()
|
||||
.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
|
||||
.RequireAuthenticatedUser().RequireClaim(ClaimTypes.AuthenticationMethod, jwtIdentityOptions.AuthenticationMethod).Build());
|
||||
config.AddPolicy("Application", policy =>
|
||||
{
|
||||
policy.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme, "Bearer2");
|
||||
policy.RequireAuthenticatedUser();
|
||||
policy.RequireClaim(ClaimTypes.AuthenticationMethod, jwtIdentityOptions.AuthenticationMethod);
|
||||
});
|
||||
|
||||
config.AddPolicy("TwoFactor", new AuthorizationPolicyBuilder()
|
||||
.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
|
||||
.RequireAuthenticatedUser().RequireClaim(ClaimTypes.AuthenticationMethod, jwtIdentityOptions.TwoFactorAuthenticationMethod).Build());
|
||||
config.AddPolicy("TwoFactor", policy =>
|
||||
{
|
||||
policy.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme, "Bearer2");
|
||||
policy.RequireAuthenticatedUser();
|
||||
policy.RequireClaim(ClaimTypes.AuthenticationMethod, jwtIdentityOptions.TwoFactorAuthenticationMethod);
|
||||
});
|
||||
});
|
||||
|
||||
services.AddScoped<AuthenticatorTokenProvider>();
|
||||
@ -207,6 +226,18 @@ namespace Bit.Api
|
||||
// Add Cors
|
||||
app.UseCors("All");
|
||||
|
||||
// Add IdentityServer to the request pipeline.
|
||||
app.UseIdentityServer();
|
||||
app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
|
||||
{
|
||||
AllowedScopes = new string[] { "api" },
|
||||
Authority = env.IsProduction() ? "https://api.bitwarden.com" : "http://localhost:4000",
|
||||
RequireHttpsMetadata = env.IsProduction(),
|
||||
ApiName = "Vault API",
|
||||
AuthenticationScheme = "Bearer2",
|
||||
TokenRetriever = TokenRetrieval.FromAuthorizationHeader("Bearer2")
|
||||
});
|
||||
|
||||
// Add Jwt authentication to the request pipeline.
|
||||
app.UseJwtBearerIdentity();
|
||||
|
||||
|
31
src/Core/Identity/Clients.cs
Normal file
31
src/Core/Identity/Clients.cs
Normal file
@ -0,0 +1,31 @@
|
||||
using IdentityServer4.Models;
|
||||
using System.Collections.Generic;
|
||||
|
||||
namespace Bit.Core.Identity
|
||||
{
|
||||
public class Clients
|
||||
{
|
||||
public static IEnumerable<Client> GetClients()
|
||||
{
|
||||
return new List<Client>
|
||||
{
|
||||
new ApiClient("mobile"),
|
||||
new ApiClient("web"),
|
||||
new ApiClient("browser"),
|
||||
new ApiClient("desktop")
|
||||
};
|
||||
}
|
||||
|
||||
public class ApiClient : Client
|
||||
{
|
||||
public ApiClient(string id)
|
||||
{
|
||||
ClientId = id;
|
||||
RequireClientSecret = false;
|
||||
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword;
|
||||
AllowOfflineAccess = true;
|
||||
AllowedScopes = new string[] { "api" };
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
36
src/Core/Identity/ProfileService.cs
Normal file
36
src/Core/Identity/ProfileService.cs
Normal file
@ -0,0 +1,36 @@
|
||||
using IdentityServer4.Services;
|
||||
using System.Threading.Tasks;
|
||||
using IdentityServer4.Models;
|
||||
using Bit.Core.Repositories;
|
||||
using Bit.Core.Services;
|
||||
using System.Security.Claims;
|
||||
|
||||
namespace Bit.Core.Identity
|
||||
{
|
||||
public class ProfileService : IProfileService
|
||||
{
|
||||
private readonly IUserService _userService;
|
||||
private readonly IUserRepository _userRepository;
|
||||
|
||||
public ProfileService(
|
||||
IUserRepository userRepository,
|
||||
IUserService userService)
|
||||
{
|
||||
_userRepository = userRepository;
|
||||
_userService = userService;
|
||||
}
|
||||
|
||||
public Task GetProfileDataAsync(ProfileDataRequestContext context)
|
||||
{
|
||||
// TODO: load proper claims for user
|
||||
context.AddFilteredClaims(new Claim[] { new Claim(ClaimTypes.AuthenticationMethod, "Application") });
|
||||
return Task.FromResult(0);
|
||||
}
|
||||
|
||||
public Task IsActiveAsync(IsActiveContext context)
|
||||
{
|
||||
context.IsActive = true;
|
||||
return Task.FromResult(0);
|
||||
}
|
||||
}
|
||||
}
|
41
src/Core/Identity/ResourceOwnerPasswordValidator.cs
Normal file
41
src/Core/Identity/ResourceOwnerPasswordValidator.cs
Normal file
@ -0,0 +1,41 @@
|
||||
using Bit.Core.Domains;
|
||||
using Bit.Core.Repositories;
|
||||
using IdentityServer4.Models;
|
||||
using IdentityServer4.Validation;
|
||||
using Microsoft.AspNetCore.Identity;
|
||||
using System.Security.Claims;
|
||||
using System.Threading.Tasks;
|
||||
|
||||
namespace Bit.Core.Identity
|
||||
{
|
||||
public class ResourceOwnerPasswordValidator : IResourceOwnerPasswordValidator
|
||||
{
|
||||
private readonly IUserRepository _userRepository;
|
||||
private readonly UserManager<User> _userManager;
|
||||
|
||||
public ResourceOwnerPasswordValidator(
|
||||
IUserRepository userRepository,
|
||||
UserManager<User> userManager)
|
||||
{
|
||||
_userRepository = userRepository;
|
||||
_userManager = userManager;
|
||||
}
|
||||
|
||||
public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
|
||||
{
|
||||
var user = await _userRepository.GetByEmailAsync(context.UserName.ToLowerInvariant());
|
||||
if(user != null)
|
||||
{
|
||||
if(await _userManager.CheckPasswordAsync(user, context.Password))
|
||||
{
|
||||
// TODO: proper claims and auth method
|
||||
context.Result = new GrantValidationResult(subject: user.Id.ToString(), authenticationMethod: "Application",
|
||||
identityProvider: "bitwarden", claims: new Claim[] { new Claim(ClaimTypes.AuthenticationMethod, "Application") });
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Username or password is incorrect.");
|
||||
}
|
||||
}
|
||||
}
|
17
src/Core/Identity/Resources.cs
Normal file
17
src/Core/Identity/Resources.cs
Normal file
@ -0,0 +1,17 @@
|
||||
using IdentityServer4.Models;
|
||||
using System.Collections.Generic;
|
||||
using System.Security.Claims;
|
||||
|
||||
namespace Bit.Core.Identity
|
||||
{
|
||||
public class Resources
|
||||
{
|
||||
public static IEnumerable<ApiResource> GetApiResources()
|
||||
{
|
||||
return new List<ApiResource>
|
||||
{
|
||||
new ApiResource("api", "Vault API", new string[] { ClaimTypes.AuthenticationMethod })
|
||||
};
|
||||
}
|
||||
}
|
||||
}
|
@ -8,7 +8,9 @@
|
||||
"DataTableProxy": "1.2.0",
|
||||
"Sendgrid": "6.3.4",
|
||||
"PushSharp": "4.0.10",
|
||||
"WindowsAzure.Storage": "8.0.0"
|
||||
"WindowsAzure.Storage": "8.0.0",
|
||||
"IdentityServer4": "1.0.1",
|
||||
"IdentityServer4.AccessTokenValidation": "1.0.2"
|
||||
},
|
||||
|
||||
"frameworks": {
|
||||
|
Loading…
Reference in New Issue
Block a user