Merge pull request #13 from jokk-itu/feature/get-subject

Feature/get subject

Author: jokk-itu

README.md

@@ -10,8 +10,14 @@ The following grant types are supported:
 
 ## Pipeline runs
 
-TODO
+[![Quality Gate Status](https://sonarcloud.io/api/project_badges/measure?project=jokk-itu_authserver-framework&metric=alert_status)](https://sonarcloud.io/summary/new_code?id=jokk-itu_authserver-framework)
+[![Coverage](https://sonarcloud.io/api/project_badges/measure?project=jokk-itu_authserver-framework&metric=coverage)](https://sonarcloud.io/summary/new_code?id=jokk-itu_authserver-framework)
+[![CI](https://github.com/jokk-itu/authserver-framework/actions/workflows/build.yml/badge.svg)](https://github.com/jokk-itu/authserver-framework/actions/workflows/build.yml)
 
 ## Documentation
 
-Take a look at [authserver.dk](https://www.authserver.dk).
+Take a look at [authserver.dk](https://www.authserver.dk).
+
+## Demo
+
+Take a look at [authserver demo](https://github.com/jokk-itu/authserver-demo).

src/AuthServer.TestIdentityProvider/Pages/Consent.cshtml.cs

@@ -11,14 +11,10 @@ namespace AuthServer.TestIdentityProvider.Pages;
 [ValidateAntiForgeryToken]
 public class ConsentModel : PageModel
 {
-    private readonly IAuthorizeUserAccessor _authorizeUserAccessor;
     private readonly IAuthorizeService _authorizeService;
 
-    public ConsentModel(
-        IAuthorizeUserAccessor authorizeUserAccessor,
-        IAuthorizeService authorizeService)
+    public ConsentModel(IAuthorizeService authorizeService)
     {
-        _authorizeUserAccessor = authorizeUserAccessor;
         _authorizeService = authorizeService;
     }
 
@@ -29,10 +25,10 @@ public ConsentModel(
 
     public class InputModel
     {
-        public required string ClientName { get; set; }
+        public string? ClientName { get; set; }
         public string? ClientUri { get; set; }
         public string? ClientLogoUri { get; set; }
-        public required string Username { get; set; }
+        public string? Username { get; set; }
         public List<string> RequestedScope { get; set; } = [];
         public List<ClaimDto> RequestedClaims { get; set; } = [];
         public List<string> ConsentedScope { get; set; } = [];
@@ -49,13 +45,15 @@ public async Task OnGet(string returnUrl, CancellationToken cancellationToken)
     {
         ReturnUrl = returnUrl ?? Url.Content("~/");
 
-        var user = _authorizeUserAccessor.GetUser();
         var query = HttpUtility.ParseQueryString(new Uri(ReturnUrl).Query);
         var requestUri = query.Get(Parameter.RequestUri)!;
         var clientId = query.Get(Parameter.ClientId)!;
-        var consentGrantDto = await _authorizeService.GetConsentGrantDto(user.SubjectIdentifier, clientId, cancellationToken);
 
         var request = (await _authorizeService.GetRequest(requestUri, clientId, cancellationToken))!;
+
+        var subject = await _authorizeService.GetSubject(request);
+        var consentGrantDto = await _authorizeService.GetConsentGrantDto(subject, clientId, cancellationToken);
+        
         var requestedScope = request.Scope.ToList();
 
         // Display requested claims, also if they are already consented. This makes sure the end-user can change their full consent.
@@ -82,11 +80,12 @@ public async Task<IActionResult> OnPostAccept(string returnUrl, CancellationToke
     {
         ReturnUrl = returnUrl ?? Url.Content("~/");
 
-        var user = _authorizeUserAccessor.GetUser();
         var query = HttpUtility.ParseQueryString(new Uri(ReturnUrl).Query);
         var clientId = query.Get(Parameter.ClientId)!;
-
-        await _authorizeService.CreateOrUpdateConsentGrant(user.SubjectIdentifier, clientId, Input.ConsentedScope, Input.ConsentedClaims, cancellationToken);
+        var requestUri = query.Get(Parameter.RequestUri)!;
+        var request = (await _authorizeService.GetRequest(requestUri, clientId, cancellationToken))!;
+        var subject = await _authorizeService.GetSubject(request);
+        await _authorizeService.CreateOrUpdateConsentGrant(subject, clientId, Input.ConsentedScope, Input.ConsentedClaims, cancellationToken);
 
         return Redirect(ReturnUrl);
     }

src/AuthServer/AuthServer.csproj

@@ -32,6 +32,7 @@
 
 	<ItemGroup>
 		<FrameworkReference Include="Microsoft.AspNetCore.App" />
+		<None Include="README.md" Pack="true" PackagePath="\" />
 	</ItemGroup>
 
 	<ItemGroup>
@@ -42,8 +43,4 @@
 		<InternalsVisibleTo Include="DynamicProxyGenAssembly2" />
 	</ItemGroup>
 
-	<ItemGroup>
-		<None Include="README.md" Pack="true" PackagePath="\" />
-	</ItemGroup>
-
 </Project>

src/AuthServer/Authentication/Abstractions/IUserClaimService.cs

@@ -17,5 +17,5 @@ public interface IUserClaimService
     /// <param name="subjectIdentifier"></param>
     /// <param name="cancellationToken"></param>
     /// <returns></returns>
-    Task<string> GetUserName(string subjectIdentifier, CancellationToken cancellationToken);
+    Task<string> GetUsername(string subjectIdentifier, CancellationToken cancellationToken);
 }

src/AuthServer/Authentication/OAuthToken/OAuthTokenAuthenticationHandler.cs

@@ -99,7 +99,7 @@ protected override async Task HandleChallengeAsync(AuthenticationProperties prop
         }
         else
         {
-            throw new InvalidOperationException("Challenge must happened from failure or none");
+            throw new InvalidOperationException("Challenge must happen from failure or none");
         }
 
         Response.StatusCode = 401;

src/AuthServer/Authorize/Abstractions/IAuthorizeService.cs

@@ -61,4 +61,10 @@ public interface IAuthorizeService
     /// <param name="cancellationToken"></param>
     /// <returns></returns>
     Task<IActionResult> GetErrorResult(string requestUri, string clientId, OAuthError oauthError, HttpContext httpContext, CancellationToken cancellationToken);
+
+    /// <summary>
+    /// Get the subject from AuthorizeUser, IdTokenHint or AuthenticatedUser.
+    /// </summary>
+    /// <returns></returns>
+    Task<string> GetSubject(AuthorizeRequestDto authorizeRequestDto);
 }

src/AuthServer/Authorize/AuthorizeService.cs

@@ -7,6 +7,8 @@
 using AuthServer.Endpoints.Responses;
 using AuthServer.Repositories.Abstractions;
 using AuthServer.RequestAccessors.Authorize;
+using AuthServer.TokenDecoders;
+using AuthServer.TokenDecoders.Abstractions;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Mvc;
 
@@ -20,6 +22,9 @@ internal class AuthorizeService : IAuthorizeService
     private readonly IAuthenticationContextReferenceResolver _authenticationContextResolver;
     private readonly ISecureRequestService _secureRequestService;
     private readonly IAuthorizeResponseBuilder _authorizeResponseBuilder;
+    private readonly IAuthenticatedUserAccessor _authenticatedUserAccessor;
+    private readonly IAuthorizeUserAccessor _authorizeUserAccessor;
+    private readonly ITokenDecoder<ServerIssuedTokenDecodeArguments> _tokenDecoder;
 
     public AuthorizeService(
         IConsentGrantRepository consentGrantRepository,
@@ -28,7 +33,10 @@ public AuthorizeService(
         IUserClaimService userClaimService,
         IAuthenticationContextReferenceResolver authenticationContextResolver,
         ISecureRequestService secureRequestService,
-        IAuthorizeResponseBuilder authorizeResponseBuilder)
+        IAuthorizeResponseBuilder authorizeResponseBuilder,
+        IAuthenticatedUserAccessor authenticatedUserAccessor,
+        IAuthorizeUserAccessor authorizeUserAccessor,
+        ITokenDecoder<ServerIssuedTokenDecodeArguments> tokenDecoder)
     {
         _consentGrantRepository = consentGrantRepository;
         _authorizationGrantRepository = authorizationGrantRepository;
@@ -37,6 +45,9 @@ public AuthorizeService(
         _authenticationContextResolver = authenticationContextResolver;
         _secureRequestService = secureRequestService;
         _authorizeResponseBuilder = authorizeResponseBuilder;
+        _authenticatedUserAccessor = authenticatedUserAccessor;
+        _authorizeUserAccessor = authorizeUserAccessor;
+        _tokenDecoder = tokenDecoder;
     }
 
     /// <inheritdoc/>
@@ -59,7 +70,7 @@ public async Task<ConsentGrantDto> GetConsentGrantDto(string subjectIdentifier,
     {
         var consentGrant = await _consentGrantRepository.GetConsentGrant(subjectIdentifier, clientId, cancellationToken);
         var cachedClient = await _cachedClientStore.Get(clientId, cancellationToken);
-        var username = await _userClaimService.GetUserName(subjectIdentifier, cancellationToken);
+        var username = await _userClaimService.GetUsername(subjectIdentifier, cancellationToken);
 
         return new ConsentGrantDto
         {
@@ -95,4 +106,23 @@ public async Task<IActionResult> GetErrorResult(string requestUri, string client
         };
         return await _authorizeResponseBuilder.BuildResponse(request, errorParameters, cancellationToken);
     }
+
+    /// <inheritdoc/>
+    public async Task<string> GetSubject(AuthorizeRequestDto authorizeRequestDto)
+    {
+        var authorizeUser = _authorizeUserAccessor.TryGetUser();
+        if (authorizeUser is not null)
+        {
+            return authorizeUser.SubjectIdentifier;
+        }
+
+        if (authorizeRequestDto.IdTokenHint is not null)
+        {
+            var idToken = await _tokenDecoder.Read(authorizeRequestDto.IdTokenHint);
+            return idToken.Subject;
+        }
+
+        var authenticatedUser = await _authenticatedUserAccessor.GetAuthenticatedUser();
+        return authenticatedUser?.SubjectIdentifier ?? throw new InvalidOperationException("subject cannot be deduced");
+    }
 }

src/AuthServer/Introspection/IntrospectionEndpointHandler.cs

@@ -1,5 +1,4 @@
 using AuthServer.Core.Abstractions;
-using AuthServer.Core.Request;
 using AuthServer.Endpoints.Responses;
 using AuthServer.Extensions;
 using AuthServer.RequestAccessors.Introspection;

src/AuthServer/Introspection/IntrospectionRequestProcessor.cs

@@ -62,7 +62,7 @@ public async Task<IntrospectionResponse> Process(IntrospectionValidatedRequest r
         string? username = null;
         if (query.SubjectIdentifier is not null)
         {
-            username = await _userClaimService.GetUserName(query.SubjectIdentifier, cancellationToken);
+            username = await _userClaimService.GetUsername(query.SubjectIdentifier, cancellationToken);
         }
 
         var subject = query.SubjectFromGrantToken ?? query.SubjectFromClientToken;

tests/AuthServer.Tests.Core/UserClaimService.cs

@@ -33,7 +33,7 @@ public Task<IEnumerable<Claim>> GetClaims(string subjectIdentifier, Cancellation
         ]);
     }
 
-    public Task<string> GetUserName(string subjectIdentifier, CancellationToken cancellationToken)
+    public Task<string> GetUsername(string subjectIdentifier, CancellationToken cancellationToken)
     {
         return Task.FromResult(UserConstants.Username);
     }