1
0
mirror of https://github.com/bitwarden/server.git synced 2024-11-25 12:45:18 +01:00

WIP: Added IdentityServer4 to API via Bearer2 auth scheme

This commit is contained in:
Kyle Spearrin 2017-01-11 00:34:16 -05:00
parent c99f8efe79
commit 77ca47a266
7 changed files with 172 additions and 7 deletions

View File

@ -1,5 +1,6 @@
using System;
using Microsoft.AspNetCore.Mvc;
using System.Linq;
namespace Bit.Api.Controllers
{
@ -11,5 +12,11 @@ namespace Bit.Api.Controllers
{
return DateTime.UtcNow;
}
[HttpGet("claims")]
public IActionResult Claims()
{
return new JsonResult(User.Claims.Select(c => new { c.Type, c.Value }));
}
}
}

View File

@ -25,6 +25,10 @@ using Microsoft.Net.Http.Headers;
using Newtonsoft.Json.Serialization;
using AspNetCoreRateLimit;
using Bit.Api.Middleware;
using IdentityServer4.Validation;
using IdentityServer4.Services;
using IdentityModel.AspNetCore.OAuth2Introspection;
using Microsoft.AspNetCore.Authorization.Infrastructure;
namespace Bit.Api
{
@ -81,6 +85,15 @@ namespace Bit.Api
services.AddSingleton<IIpPolicyStore, MemoryCacheIpPolicyStore>();
services.AddSingleton<IRateLimitCounterStore, MemoryCacheRateLimitCounterStore>();
// IdentityServer
services.AddIdentityServer()
// TODO: Add proper signing creds
.AddTemporarySigningCredential()
.AddInMemoryApiResources(Resources.GetApiResources())
.AddInMemoryClients(Clients.GetClients());
services.AddSingleton<IResourceOwnerPasswordValidator, ResourceOwnerPasswordValidator>();
services.AddSingleton<IProfileService, ProfileService>();
// Identity
services.AddTransient<ILookupNormalizer, LowerInvariantLookupNormalizer>();
services.AddJwtBearerIdentity(options =>
@ -121,13 +134,19 @@ namespace Bit.Api
var jwtIdentityOptions = provider.GetRequiredService<IOptions<JwtBearerIdentityOptions>>().Value;
services.AddAuthorization(config =>
{
config.AddPolicy("Application", new AuthorizationPolicyBuilder()
.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
.RequireAuthenticatedUser().RequireClaim(ClaimTypes.AuthenticationMethod, jwtIdentityOptions.AuthenticationMethod).Build());
config.AddPolicy("Application", policy =>
{
policy.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme, "Bearer2");
policy.RequireAuthenticatedUser();
policy.RequireClaim(ClaimTypes.AuthenticationMethod, jwtIdentityOptions.AuthenticationMethod);
});
config.AddPolicy("TwoFactor", new AuthorizationPolicyBuilder()
.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
.RequireAuthenticatedUser().RequireClaim(ClaimTypes.AuthenticationMethod, jwtIdentityOptions.TwoFactorAuthenticationMethod).Build());
config.AddPolicy("TwoFactor", policy =>
{
policy.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme, "Bearer2");
policy.RequireAuthenticatedUser();
policy.RequireClaim(ClaimTypes.AuthenticationMethod, jwtIdentityOptions.TwoFactorAuthenticationMethod);
});
});
services.AddScoped<AuthenticatorTokenProvider>();
@ -207,6 +226,18 @@ namespace Bit.Api
// Add Cors
app.UseCors("All");
// Add IdentityServer to the request pipeline.
app.UseIdentityServer();
app.UseIdentityServerAuthentication(new IdentityServerAuthenticationOptions
{
AllowedScopes = new string[] { "api" },
Authority = env.IsProduction() ? "https://api.bitwarden.com" : "http://localhost:4000",
RequireHttpsMetadata = env.IsProduction(),
ApiName = "Vault API",
AuthenticationScheme = "Bearer2",
TokenRetriever = TokenRetrieval.FromAuthorizationHeader("Bearer2")
});
// Add Jwt authentication to the request pipeline.
app.UseJwtBearerIdentity();

View File

@ -0,0 +1,31 @@
using IdentityServer4.Models;
using System.Collections.Generic;
namespace Bit.Core.Identity
{
public class Clients
{
public static IEnumerable<Client> GetClients()
{
return new List<Client>
{
new ApiClient("mobile"),
new ApiClient("web"),
new ApiClient("browser"),
new ApiClient("desktop")
};
}
public class ApiClient : Client
{
public ApiClient(string id)
{
ClientId = id;
RequireClientSecret = false;
AllowedGrantTypes = GrantTypes.ResourceOwnerPassword;
AllowOfflineAccess = true;
AllowedScopes = new string[] { "api" };
}
}
}
}

View File

@ -0,0 +1,36 @@
using IdentityServer4.Services;
using System.Threading.Tasks;
using IdentityServer4.Models;
using Bit.Core.Repositories;
using Bit.Core.Services;
using System.Security.Claims;
namespace Bit.Core.Identity
{
public class ProfileService : IProfileService
{
private readonly IUserService _userService;
private readonly IUserRepository _userRepository;
public ProfileService(
IUserRepository userRepository,
IUserService userService)
{
_userRepository = userRepository;
_userService = userService;
}
public Task GetProfileDataAsync(ProfileDataRequestContext context)
{
// TODO: load proper claims for user
context.AddFilteredClaims(new Claim[] { new Claim(ClaimTypes.AuthenticationMethod, "Application") });
return Task.FromResult(0);
}
public Task IsActiveAsync(IsActiveContext context)
{
context.IsActive = true;
return Task.FromResult(0);
}
}
}

View File

@ -0,0 +1,41 @@
using Bit.Core.Domains;
using Bit.Core.Repositories;
using IdentityServer4.Models;
using IdentityServer4.Validation;
using Microsoft.AspNetCore.Identity;
using System.Security.Claims;
using System.Threading.Tasks;
namespace Bit.Core.Identity
{
public class ResourceOwnerPasswordValidator : IResourceOwnerPasswordValidator
{
private readonly IUserRepository _userRepository;
private readonly UserManager<User> _userManager;
public ResourceOwnerPasswordValidator(
IUserRepository userRepository,
UserManager<User> userManager)
{
_userRepository = userRepository;
_userManager = userManager;
}
public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
{
var user = await _userRepository.GetByEmailAsync(context.UserName.ToLowerInvariant());
if(user != null)
{
if(await _userManager.CheckPasswordAsync(user, context.Password))
{
// TODO: proper claims and auth method
context.Result = new GrantValidationResult(subject: user.Id.ToString(), authenticationMethod: "Application",
identityProvider: "bitwarden", claims: new Claim[] { new Claim(ClaimTypes.AuthenticationMethod, "Application") });
return;
}
}
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Username or password is incorrect.");
}
}
}

View File

@ -0,0 +1,17 @@
using IdentityServer4.Models;
using System.Collections.Generic;
using System.Security.Claims;
namespace Bit.Core.Identity
{
public class Resources
{
public static IEnumerable<ApiResource> GetApiResources()
{
return new List<ApiResource>
{
new ApiResource("api", "Vault API", new string[] { ClaimTypes.AuthenticationMethod })
};
}
}
}

View File

@ -8,7 +8,9 @@
"DataTableProxy": "1.2.0",
"Sendgrid": "6.3.4",
"PushSharp": "4.0.10",
"WindowsAzure.Storage": "8.0.0"
"WindowsAzure.Storage": "8.0.0",
"IdentityServer4": "1.0.1",
"IdentityServer4.AccessTokenValidation": "1.0.2"
},
"frameworks": {