Add PingOne provider (#758)

* Adding PingOne Provider

* updating documentation

* fixing url for tests

* adding test with custom domain

* adding new version to package validation

Co-authored-by: Martin Costello <[email protected]>

* fixing casing the exception string

Co-authored-by: Martin Costello <[email protected]>

* updating changes from PR review

* updating docs to reflect code change

* Update documentation

Minor documentation updates.

---------

Co-authored-by: Andrew Killion <[email protected]>
Co-authored-by: Martin Costello <[email protected]>

Author: 3 people

AspNet.Security.OAuth.Providers.sln

@@ -295,6 +295,8 @@ Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "AspNet.Security.OAuth.Smart
 EndProject
 Project("{9A19103F-16F7-4668-BE54-9A1E7A4F7556}") = "AspNet.Security.OAuth.Huawei", "src\AspNet.Security.OAuth.Huawei\AspNet.Security.OAuth.Huawei.csproj", "{E3CF7FFC-56A0-4033-87A9-BB3080CF030E}"
 EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "AspNet.Security.OAuth.PingOne", "src\AspNet.Security.OAuth.PingOne\AspNet.Security.OAuth.PingOne.csproj", "{CF8C4235-6AE6-404E-B572-4FF4E85AB5FF}"
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -677,6 +679,10 @@ Global
 		{E3CF7FFC-56A0-4033-87A9-BB3080CF030E}.Debug|Any CPU.Build.0 = Debug|Any CPU
 		{E3CF7FFC-56A0-4033-87A9-BB3080CF030E}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{E3CF7FFC-56A0-4033-87A9-BB3080CF030E}.Release|Any CPU.Build.0 = Release|Any CPU
+		{CF8C4235-6AE6-404E-B572-4FF4E85AB5FF}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
+		{CF8C4235-6AE6-404E-B572-4FF4E85AB5FF}.Debug|Any CPU.Build.0 = Debug|Any CPU
+		{CF8C4235-6AE6-404E-B572-4FF4E85AB5FF}.Release|Any CPU.ActiveCfg = Release|Any CPU
+		{CF8C4235-6AE6-404E-B572-4FF4E85AB5FF}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
 	GlobalSection(SolutionProperties) = preSolution
 		HideSolutionNode = FALSE
@@ -782,6 +788,7 @@ Global
 		{8E42EF81-A630-4BDB-B642-3F20C863F9BE} = {C1352FD3-AE8B-43EE-B45B-F6E0B3FBAC6D}
 		{68862DC5-65B7-4517-B909-AB334F9FCF6E} = {C1352FD3-AE8B-43EE-B45B-F6E0B3FBAC6D}
 		{E3CF7FFC-56A0-4033-87A9-BB3080CF030E} = {C1352FD3-AE8B-43EE-B45B-F6E0B3FBAC6D}
+		{CF8C4235-6AE6-404E-B572-4FF4E85AB5FF} = {C1352FD3-AE8B-43EE-B45B-F6E0B3FBAC6D}
 	EndGlobalSection
 	GlobalSection(ExtensibilityGlobals) = postSolution
 		SolutionGuid = {C7B54DE2-6407-4802-AD9C-CE54BF414C8C}

README.md

@@ -56,6 +56,7 @@ We would love it if you could help contributing to this repository.
 * [CoCo Lin](https://github.com/linmasaki)
 * [Dave Timmins](https://github.com/davetimmins)
 * [Dmitry Popov](https://github.com/justdmitry)
+* [Drew Killion](https://github.com/drewkill32)
 * [Elan Hasson](https://github.com/ElanHasson)
 * [Eric Green](https://github.com/ericgreenmix)
 * [Ethan Celletti](https://github.com/Gekctek)
@@ -180,6 +181,7 @@ If a provider you're looking for does not exist, consider making a PR to add one
 | Onshape | [![NuGet](https://buildstats.info/nuget/AspNet.Security.OAuth.Onshape?includePreReleases=false)](https://www.nuget.org/packages/AspNet.Security.OAuth.Onshape/ "Download AspNet.Security.OAuth.Onshape from NuGet.org") | [![MyGet](https://buildstats.info/myget/aspnet-contrib/AspNet.Security.OAuth.Onshape?includePreReleases=true)](https://www.myget.org/feed/aspnet-contrib/package/nuget/AspNet.Security.OAuth.Onshape "Download AspNet.Security.OAuth.Onshape from MyGet.org") | N/A |
 | Patreon | [![NuGet](https://buildstats.info/nuget/AspNet.Security.OAuth.Patreon?includePreReleases=false)](https://www.nuget.org/packages/AspNet.Security.OAuth.Patreon/ "Download AspNet.Security.OAuth.Patreon from NuGet.org") | [![MyGet](https://buildstats.info/myget/aspnet-contrib/AspNet.Security.OAuth.Patreon?includePreReleases=true)](https://www.myget.org/feed/aspnet-contrib/package/nuget/AspNet.Security.OAuth.Patreon "Download AspNet.Security.OAuth.Patreon from MyGet.org") | [Documentation](https://docs.patreon.com/#oauth "Patreon developer documentation") |
 | Paypal | [![NuGet](https://buildstats.info/nuget/AspNet.Security.OAuth.Paypal?includePreReleases=false)](https://www.nuget.org/packages/AspNet.Security.OAuth.Paypal/ "Download AspNet.Security.OAuth.Paypal from NuGet.org") | [![MyGet](https://buildstats.info/myget/aspnet-contrib/AspNet.Security.OAuth.Paypal?includePreReleases=true)](https://www.myget.org/feed/aspnet-contrib/package/nuget/AspNet.Security.OAuth.Paypal "Download AspNet.Security.OAuth.Paypal from MyGet.org") | [Documentation](https://developer.paypal.com/docs/api-basics/#oauth-20-authorization-protocol "Paypal developer documentation") |
+| PingOne | [![NuGet](https://buildstats.info/nuget/AspNet.Security.OAuth.PingOne?includePreReleases=false)](https://www.nuget.org/packages/AspNet.Security.OAuth.PingOne/ "Download AspNet.Security.OAuth.PingOne from NuGet.org") | [![MyGet](https://buildstats.info/myget/aspnet-contrib/AspNet.Security.OAuth.PingOne?includePreReleases=true)](https://www.myget.org/feed/aspnet-contrib/package/nuget/AspNet.Security.OAuth.PingOne "Download AspNet.Security.OAuth.PingOne from MyGet.org") | [Documentation](https://apidocs.pingidentity.com/pingone/platform/v1/api/#openid-connectoauth-2 "PingOne developer documentation") |
 | QQ | [![NuGet](https://buildstats.info/nuget/AspNet.Security.OAuth.QQ?includePreReleases=false)](https://www.nuget.org/packages/AspNet.Security.OAuth.QQ/ "Download AspNet.Security.OAuth.QQ from NuGet.org") | [![MyGet](https://buildstats.info/myget/aspnet-contrib/AspNet.Security.OAuth.QQ?includePreReleases=true)](https://www.myget.org/feed/aspnet-contrib/package/nuget/AspNet.Security.OAuth.QQ "Download AspNet.Security.OAuth.QQ from MyGet.org") | [Documentation](https://developers.e.qq.com/docs/apilist/auth/oauth2 "QQ developer documentation") |
 | QuickBooks | [![NuGet](https://buildstats.info/nuget/AspNet.Security.OAuth.QuickBooks?includePreReleases=false)](https://www.nuget.org/packages/AspNet.Security.OAuth.QuickBooks/ "Download AspNet.Security.OAuth.QuickBooks from NuGet.org") | [![MyGet](https://buildstats.info/myget/aspnet-contrib/AspNet.Security.OAuth.QuickBooks?includePreReleases=true)](https://www.myget.org/feed/aspnet-contrib/package/nuget/AspNet.Security.OAuth.QuickBooks "Download AspNet.Security.OAuth.QuickBooks from MyGet.org") | [Documentation](https://www.developer.intuit.com/app/developer/qbo/docs/develop/authentication-and-authorization/oauth-2.0-playground "QuickBooks developer documentation") |
 | Reddit | [![NuGet](https://buildstats.info/nuget/AspNet.Security.OAuth.Reddit?includePreReleases=false)](https://www.nuget.org/packages/AspNet.Security.OAuth.Reddit/ "Download AspNet.Security.OAuth.Reddit from NuGet.org") | [![MyGet](https://buildstats.info/myget/aspnet-contrib/AspNet.Security.OAuth.Reddit?includePreReleases=true)](https://www.myget.org/feed/aspnet-contrib/package/nuget/AspNet.Security.OAuth.Reddit "Download AspNet.Security.OAuth.Reddit from MyGet.org") | [Documentation](https://github.com/reddit-archive/reddit/wiki/oauth2 "Reddit developer documentation") |

docs/README.md

@@ -61,6 +61,7 @@ covered by the section above.
 | Odnoklassniki | _Optional_ | [Documentation](odnoklassniki.md "Odnoklassniki provider documentation") |
 | Okta | **Required** | [Documentation](okta.md "Okta provider documentation") |
 | Patreon | _Optional_ | [Documentation](patreon.md "Patreon provider documentation") |
+| PingOne | _Optional_ | [Documentation](pingone.md "PingOne provider documentation") |
 | QQ | _Optional_ | [Documentation](qq.md "QQ provider documentation") |
 | Reddit | _Optional_ | [Documentation](reddit.md "Reddit provider documentation") |
 | Salesforce | _Optional_ | [Documentation](salesforce.md "Salesforce provider documentation") |

docs/pingone.md

@@ -0,0 +1,26 @@
+# Integrating the PingOne Provider
+
+## Example
+
+```csharp
+services.AddAuthentication(options => /* Auth configuration */)
+        .AddPingOne(options =>
+        {
+            options.ClientId = "my-client-id";
+            options.ClientSecret = "my-client-secret";
+            options.EnvironmentId = "63e9d5c3-5bb8-462d-8f71-8e6b2592e516";
+        });
+```
+
+## Required Additional Settings
+
+| Property Name | Property Type | Description | Default Value |
+|:--|:--|:--|:--|
+| `EnvironmentId` | `string` | The PingOne EnvironmentId to use for authentication. This can be found on the `environment.properties` page of the PingOne admin portal for your account. | `""` |
+
+## Optional Settings
+
+| Property Name | Property Type | Description | Default Value |
+|:--|:--|:--|:--|
+| `Domain` | `string?` | The PingOne domain to use for authentication. Can be a custom domain configured in PingOne or one of the following: `auth.pingone.com` for the United States region, `auth.pingone.ca` for the Canada region, `auth.pingone.eu` for the European Union region, or `auth.pingone.asia` for the Asia-Pacific region. | `"auth.pingone.com"` |
+

src/AspNet.Security.OAuth.PingOne/AspNet.Security.OAuth.PingOne.csproj

@@ -0,0 +1,25 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFrameworks>$(DefaultNetCoreTargetFramework)</TargetFrameworks>
+  </PropertyGroup>
+
+
+  <!-- TODO Remove once published to NuGet.org -->
+  <PropertyGroup>
+    <DisablePackageBaselineValidation>true</DisablePackageBaselineValidation>
+    <PackageValidationBaselineVersion>7.0.1</PackageValidationBaselineVersion>
+  </PropertyGroup>
+
+  <PropertyGroup>
+    <Description>ASP.NET Core security provider enabling PingOne authentication.</Description>
+    <Authors>Drew Killion</Authors>
+    <PackageTags>pingone;aspnetcore;authentication;oauth;security</PackageTags>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <FrameworkReference Include="Microsoft.AspNetCore.App" />
+    <PackageReference Include="JetBrains.Annotations" PrivateAssets="All" />
+  </ItemGroup>
+
+</Project>

src/AspNet.Security.OAuth.PingOne/PingOneAuthenticationDefaults.cs

@@ -0,0 +1,53 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+ * See https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers
+ * for more information concerning the license and the contributors participating to this project.
+ */
+
+namespace AspNet.Security.OAuth.PingOne;
+
+/// <summary>
+/// Default values used by the PingOne authentication provider.
+/// </summary>
+public static class PingOneAuthenticationDefaults
+{
+    /// <summary>
+    /// Default value for <see cref="AuthenticationScheme.Name"/>.
+    /// </summary>
+    public const string AuthenticationScheme = "PingOne";
+
+    /// <summary>
+    /// Default value for <see cref="AuthenticationScheme.DisplayName"/>.
+    /// </summary>
+    public static readonly string DisplayName = "PingOne";
+
+    /// <summary>
+    /// Default value for <see cref="AuthenticationSchemeOptions.ClaimsIssuer"/>.
+    /// </summary>
+    public static readonly string Issuer = "PingOne";
+
+    /// <summary>
+    /// Default value for PingOne domain.
+    /// </summary>
+    public static readonly string Domain = "auth.pingone.com";
+
+    /// <summary>
+    /// Default value for <see cref="RemoteAuthenticationOptions.CallbackPath"/>.
+    /// </summary>
+    public static readonly string CallbackPath = "/signin-pingone";
+
+    /// <summary>
+    /// Default path format to use for <see cref="OAuthOptions.AuthorizationEndpoint"/>.
+    /// </summary>
+    public static readonly string AuthorizationEndpointPathFormat = "/{0}/as/authorize";
+
+    /// <summary>
+    /// Default path format to use for <see cref="OAuthOptions.TokenEndpoint"/>.
+    /// </summary>
+    public static readonly string TokenEndpointPathFormat = "/{0}/as/token";
+
+    /// <summary>
+    /// Default path format to use for <see cref="OAuthOptions.UserInformationEndpoint"/>.
+    /// </summary>
+    public static readonly string UserInformationEndpointPathFormat = "/{0}/as/userinfo";
+}

src/AspNet.Security.OAuth.PingOne/PingOneAuthenticationExtensions.cs

@@ -0,0 +1,77 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+ * See https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers
+ * for more information concerning the license and the contributors participating to this project.
+ */
+
+using AspNet.Security.OAuth.PingOne;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.Options;
+
+namespace Microsoft.Extensions.DependencyInjection;
+
+/// <summary>
+/// Extension methods to add PingOne authentication capabilities to an HTTP application pipeline.
+/// </summary>
+public static class PingOneAuthenticationExtensions
+{
+    /// <summary>
+    /// Adds <see cref="PingOneAuthenticationHandler"/> to the specified
+    /// <see cref="AuthenticationBuilder"/>, which enables PingOne authentication capabilities.
+    /// </summary>
+    /// <param name="builder">The authentication builder.</param>
+    /// <returns>The <see cref="AuthenticationBuilder"/>.</returns>
+    public static AuthenticationBuilder AddPingOne([NotNull] this AuthenticationBuilder builder)
+    {
+        return builder.AddPingOne(PingOneAuthenticationDefaults.AuthenticationScheme, options => { });
+    }
+
+    /// <summary>
+    /// Adds <see cref="PingOneAuthenticationHandler"/> to the specified
+    /// <see cref="AuthenticationBuilder"/>, which enables PingOne authentication capabilities.
+    /// </summary>
+    /// <param name="builder">The authentication builder.</param>
+    /// <param name="configuration">The delegate used to configure the PingOne options.</param>
+    /// <returns>The <see cref="AuthenticationBuilder"/>.</returns>
+    public static AuthenticationBuilder AddPingOne(
+        [NotNull] this AuthenticationBuilder builder,
+        [NotNull] Action<PingOneAuthenticationOptions> configuration)
+    {
+        return builder.AddPingOne(PingOneAuthenticationDefaults.AuthenticationScheme, configuration);
+    }
+
+    /// <summary>
+    /// Adds <see cref="PingOneAuthenticationHandler"/> to the specified
+    /// <see cref="AuthenticationBuilder"/>, which enables PingOne authentication capabilities.
+    /// </summary>
+    /// <param name="builder">The authentication builder.</param>
+    /// <param name="scheme">The authentication scheme associated with this instance.</param>
+    /// <param name="configuration">The delegate used to configure the PingOne options.</param>
+    /// <returns>The <see cref="AuthenticationBuilder"/>.</returns>
+    public static AuthenticationBuilder AddPingOne(
+        [NotNull] this AuthenticationBuilder builder,
+        [NotNull] string scheme,
+        [NotNull] Action<PingOneAuthenticationOptions> configuration)
+    {
+        return builder.AddPingOne(scheme, PingOneAuthenticationDefaults.DisplayName, configuration);
+    }
+
+    /// <summary>
+    /// Adds <see cref="PingOneAuthenticationHandler"/> to the specified
+    /// <see cref="AuthenticationBuilder"/>, which enables PingOne authentication capabilities.
+    /// </summary>
+    /// <param name="builder">The authentication builder.</param>
+    /// <param name="scheme">The authentication scheme associated with this instance.</param>
+    /// <param name="caption">The optional display name associated with this instance.</param>
+    /// <param name="configuration">The delegate used to configure the PingOne options.</param>
+    /// <returns>The <see cref="AuthenticationBuilder"/>.</returns>
+    public static AuthenticationBuilder AddPingOne(
+        [NotNull] this AuthenticationBuilder builder,
+        [NotNull] string scheme,
+        [CanBeNull] string caption,
+        [NotNull] Action<PingOneAuthenticationOptions> configuration)
+    {
+        builder.Services.TryAddSingleton<IPostConfigureOptions<PingOneAuthenticationOptions>, PingOnePostConfigureOptions>();
+        return builder.AddOAuth<PingOneAuthenticationOptions, PingOneAuthenticationHandler>(scheme, caption, configuration);
+    }
+}

src/AspNet.Security.OAuth.PingOne/PingOneAuthenticationHandler.cs

@@ -0,0 +1,84 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
+ * See https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers
+ * for more information concerning the license and the contributors participating to this project.
+ */
+
+using System.Net.Http.Headers;
+using System.Security.Claims;
+using System.Text.Encodings.Web;
+using System.Text.Json;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+
+namespace AspNet.Security.OAuth.PingOne;
+
+/// <summary>
+/// Defines a handler for authentication using PingOne.
+/// </summary>
+public partial class PingOneAuthenticationHandler : OAuthHandler<PingOneAuthenticationOptions>
+{
+    /// <summary>
+    /// Initializes a new instance of the <see cref="PingOneAuthenticationHandler"/> class.
+    /// </summary>
+    /// <param name="options">The authentication options.</param>
+    /// <param name="logger">The logger to use.</param>
+    /// <param name="encoder">The URL encoder to use.</param>
+    /// <param name="clock">The system clock to use.</param>
+    public PingOneAuthenticationHandler(
+        [NotNull] IOptionsMonitor<PingOneAuthenticationOptions> options,
+        [NotNull] ILoggerFactory logger,
+        [NotNull] UrlEncoder encoder,
+        [NotNull] ISystemClock clock)
+        : base(options, logger, encoder, clock)
+    {
+    }
+
+    /// <inheritdoc />
+    protected override async Task<AuthenticationTicket> CreateTicketAsync(
+        [NotNull] ClaimsIdentity identity,
+        [NotNull] AuthenticationProperties properties,
+        [NotNull] OAuthTokenResponse tokens)
+    {
+        string endpoint = Options.UserInformationEndpoint;
+
+        using var request = new HttpRequestMessage(HttpMethod.Get, endpoint);
+        request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
+        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", tokens.AccessToken);
+
+        using var response = await Backchannel.SendAsync(request, HttpCompletionOption.ResponseHeadersRead, Context.RequestAborted);
+        if (!response.IsSuccessStatusCode)
+        {
+            await Log.UserProfileErrorAsync(Logger, response, Context.RequestAborted);
+            throw new HttpRequestException("An error occurred while retrieving the user profile from PingOne.");
+        }
+
+        using var payload = JsonDocument.Parse(await response.Content.ReadAsStringAsync(Context.RequestAborted));
+
+        var principal = new ClaimsPrincipal(identity);
+        var context = new OAuthCreatingTicketContext(principal, properties, Context, Scheme, Options, Backchannel, tokens, payload.RootElement);
+        context.RunClaimActions();
+
+        await Events.CreatingTicket(context);
+        return new AuthenticationTicket(context.Principal!, context.Properties, Scheme.Name);
+    }
+
+    private static partial class Log
+    {
+        internal static async Task UserProfileErrorAsync(ILogger logger, HttpResponseMessage response, CancellationToken cancellationToken)
+        {
+            UserProfileError(
+                logger,
+                response.StatusCode,
+                response.Headers.ToString(),
+                await response.Content.ReadAsStringAsync(cancellationToken));
+        }
+
+        [LoggerMessage(1, LogLevel.Error, "An error occurred while retrieving the user profile: the remote server returned a {Status} response with the following payload: {Headers} {Body}.")]
+        private static partial void UserProfileError(
+            ILogger logger,
+            System.Net.HttpStatusCode status,
+            string headers,
+            string body);
+    }
+}