-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathOAuth2IntrospectionOptions.cs
More file actions
162 lines (134 loc) · 6.15 KB
/
OAuth2IntrospectionOptions.cs
File metadata and controls
162 lines (134 loc) · 6.15 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
// Copyright (c) Duende Software. All rights reserved.
// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
using Duende.IdentityModel;
using Duende.IdentityModel.Client;
using IdentityModel.AspNetCore.OAuth2Introspection.Infrastructure;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Http;
using System;
using System.Net.Http;
namespace IdentityModel.AspNetCore.OAuth2Introspection
{
/// <summary>
/// Options class for the OAuth 2.0 introspection endpoint authentication handler
/// </summary>
public class OAuth2IntrospectionOptions : AuthenticationSchemeOptions
{
/// <summary>
/// ctor
/// </summary>
public OAuth2IntrospectionOptions()
{
Events = new OAuth2IntrospectionEvents();
}
/// <summary>
/// Sets the base-path of the token provider.
/// If set, the OpenID Connect discovery document will be used to find the introspection endpoint.
/// </summary>
public string Authority { get; set; }
/// <summary>
/// Sets the URL of the introspection endpoint.
/// If set, Authority is ignored.
/// </summary>
public string IntrospectionEndpoint { get; set; }
/// <summary>
/// Specifies the id of the introspection client (required).
/// </summary>
public string ClientId { get; set; }
/// <summary>
/// Specifies the shared secret of the introspection client.
/// </summary>
public string ClientSecret { get; set; }
internal object AssertionUpdateLockObj = new object();
internal ClientAssertion ClientAssertion { get; set; }
internal DateTime ClientAssertionExpirationTime { get; set; }
/// <summary>
/// Specifies how client id and secret are being sent
/// </summary>
public ClientCredentialStyle ClientCredentialStyle { get; set; } = ClientCredentialStyle.PostBody;
/// <summary>
/// Specifies how the authorization header gets formatted (if used)
/// </summary>
public BasicAuthenticationHeaderStyle AuthorizationHeaderStyle { get; set; } = BasicAuthenticationHeaderStyle.Rfc2617;
/// <summary>
/// Specifies the token type hint of the introspection client.
/// </summary>
public string TokenTypeHint { get; set; } = OidcConstants.TokenTypes.AccessToken;
/// <summary>
/// Specifies the claim type to use for the name claim (defaults to 'name')
/// </summary>
public string NameClaimType { get; set; } = "name";
/// <summary>
/// Specifies the claim type to use for the role claim (defaults to 'role')
/// </summary>
public string RoleClaimType { get; set; } = "role";
/// <summary>
/// Specifies the authentication type to use for the authenticated identity.
/// If not set, the authentication scheme name is used as the authentication
/// type (defaults to null).
/// </summary>
public string AuthenticationType { get; set; }
/// <summary>
/// Specifies the policy for the discovery client
/// </summary>
public DiscoveryPolicy DiscoveryPolicy { get; set; } = new DiscoveryPolicy();
/// <summary>
/// Specifies whether tokens that contain dots (most likely a JWT) are skipped
/// </summary>
public bool SkipTokensWithDots { get; set; } = false;
/// <summary>
/// Specifies whether the token should be stored in the context, and thus be available for the duration of the request
/// </summary>
public bool SaveToken { get; set; } = true;
/// <summary>
/// Specifies whether the outcome of the token validation should be cached. This reduces the load on the introspection endpoint at the STS
/// </summary>
public bool EnableCaching { get; set; } = false;
/// <summary>
/// Specifies for how long the outcome of the token validation should be cached.
/// </summary>
public TimeSpan CacheDuration { get; set; } = TimeSpan.FromMinutes(5);
/// <summary>
/// Specifies the prefix of the cache key (token).
/// </summary>
public string CacheKeyPrefix { get; set; } = string.Empty;
/// <summary>
/// Specifies the method how to generate the cache key from the token
/// </summary>
public Func<OAuth2IntrospectionOptions, string, string> CacheKeyGenerator { get; set; } = CacheUtils.CacheKeyFromToken();
/// <summary>
/// Specifies the method how to retrieve the token from the HTTP request
/// </summary>
public Func<HttpRequest, string> TokenRetriever { get; set; } = TokenRetrieval.FromAuthorizationHeader();
/// <summary>
/// Gets or sets the <see cref="OAuth2IntrospectionEvents"/> used to handle authentication events.
/// </summary>
public new OAuth2IntrospectionEvents Events
{
get => (OAuth2IntrospectionEvents)base.Events;
set => base.Events = value;
}
internal AsyncLazy<HttpClient> IntrospectionClient { get; set; }
/// <summary>
/// Check that the options are valid. Should throw an exception if things are not ok.
/// </summary>
/// <exception cref="InvalidOperationException">
/// You must either set Authority or IntrospectionEndpoint
/// or
/// You must either set a ClientId or set an introspection HTTP handler
/// </exception>
/// <exception cref="ArgumentException">TokenRetriever must be set - TokenRetriever</exception>
public override void Validate()
{
base.Validate();
if (Authority.IsMissing() && IntrospectionEndpoint.IsMissing())
{
throw new InvalidOperationException("You must either set Authority or IntrospectionEndpoint");
}
if (TokenRetriever == null)
{
throw new ArgumentException("TokenRetriever must be set", nameof(TokenRetriever));
}
}
}
}