Merge pull request #11592 from rickbutterfield/feature/temp-11591

bergmania · web-flow · commit cabc30341aef · 2021-11-15T12:54:44.000+01:00
v9: Fix for OAuth ExternalLogin
diff --git a/src/Umbraco.Web.BackOffice/Controllers/BackOfficeController.cs b/src/Umbraco.Web.BackOffice/Controllers/BackOfficeController.cs
@@ -517,6 +517,11 @@ private async Task<IActionResult> ExternalSignInAsync(ExternalLoginInfo loginInf
                 // Failed only occurs when the user does not exist
                 errors.Add("The requested provider (" + loginInfo.LoginProvider + ") has not been linked to an account, the provider must be linked from the back office.");
             }
+            else if (result == ExternalLoginSignInResult.NotAllowed)
+            {
+                // This occurs when the external provider has approved the login but custom logic in OnExternalLogin has denined it.
+                errors.Add($"The user {loginInfo.Principal.Identity.Name} for the external provider {loginInfo.ProviderDisplayName} has not been accepted and cannot sign in.");
+            }
             else if (result == AutoLinkSignInResult.FailedNotLinked)
             {
                 errors.Add("The requested provider (" + loginInfo.LoginProvider + ") has not been linked to an account, the provider must be linked from the back office.");
diff --git a/src/Umbraco.Web.BackOffice/Security/BackOfficeSignInManager.cs b/src/Umbraco.Web.BackOffice/Security/BackOfficeSignInManager.cs
@@ -77,7 +77,8 @@ public async Task<SignInResult> ExternalLoginSignInAsync(ExternalLoginInfo login
                 var shouldSignIn = autoLinkOptions.OnExternalLogin(user, loginInfo);
                 if (shouldSignIn == false)
                 {
-                    Logger.LogWarning("The AutoLinkOptions of the external authentication provider '{LoginProvider}' have refused the login based on the OnExternalLogin method. Affected user id: '{UserId}'", loginInfo.LoginProvider, user.Id);
+                    LogFailedExternalLogin(loginInfo, user);
+                    return ExternalLoginSignInResult.NotAllowed;
                 }
             }
 
@@ -192,7 +193,16 @@ private async Task<SignInResult> AutoLinkAndSignInExternalAccount(ExternalLoginI
                         return AutoLinkSignInResult.FailedException(ex.Message);
                     }
 
-                    return await LinkUser(autoLinkUser, loginInfo);
+                    var shouldLinkUser = autoLinkOptions.OnExternalLogin == null || autoLinkOptions.OnExternalLogin(autoLinkUser, loginInfo);
+                    if (shouldLinkUser)
+                    {
+                        return await LinkUser(autoLinkUser, loginInfo);
+                    }
+                    else
+                    {
+                        LogFailedExternalLogin(loginInfo, autoLinkUser);
+                        return ExternalLoginSignInResult.NotAllowed;
+                    }
                 }
                 else
                 {
@@ -225,7 +235,16 @@ private async Task<SignInResult> AutoLinkAndSignInExternalAccount(ExternalLoginI
                     }
                     else
                     {
-                        return await LinkUser(autoLinkUser, loginInfo);
+                        var shouldLinkUser = autoLinkOptions.OnExternalLogin == null || autoLinkOptions.OnExternalLogin(autoLinkUser, loginInfo);
+                        if (shouldLinkUser)
+                        {
+                            return await LinkUser(autoLinkUser, loginInfo);
+                        }
+                        else
+                        {
+                            LogFailedExternalLogin(loginInfo, autoLinkUser);
+                            return ExternalLoginSignInResult.NotAllowed;
+                        }
                     }
                 }
             }
@@ -264,5 +283,8 @@ private async Task<SignInResult> LinkUser(BackOfficeIdentityUser autoLinkUser, E
                 return AutoLinkSignInResult.FailedLinkingUser(errors);
             }
         }
+
+        private void LogFailedExternalLogin(ExternalLoginInfo loginInfo, BackOfficeIdentityUser user) =>
+            Logger.LogWarning("The AutoLinkOptions of the external authentication provider '{LoginProvider}' have refused the login based on the OnExternalLogin method. Affected user id: '{UserId}'", loginInfo.LoginProvider, user.Id);
     }
 }
diff --git a/src/Umbraco.Web.BackOffice/Security/ExternalLoginSignInResult.cs b/src/Umbraco.Web.BackOffice/Security/ExternalLoginSignInResult.cs
@@ -0,0 +1,15 @@
+using Microsoft.AspNetCore.Identity;
+
+namespace Umbraco.Cms.Web.BackOffice.Security
+{
+    /// <summary>
+    /// Result returned from signing in when external logins are used.
+    /// </summary>
+    public class ExternalLoginSignInResult : SignInResult
+    {
+        public static ExternalLoginSignInResult NotAllowed { get; } = new ExternalLoginSignInResult()
+        {
+            Succeeded = false
+        };
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -517,6 +517,11 @@ private async Task<IActionResult> ExternalSignInAsync(ExternalLoginInfo loginInf`
`517`	`517`	`// Failed only occurs when the user does not exist`
`518`	`518`	`errors.Add("The requested provider (" + loginInfo.LoginProvider + ") has not been linked to an account, the provider must be linked from the back office.");`
`519`	`519`	`}`
	`520`	`+ else if (result == ExternalLoginSignInResult.NotAllowed)`
	`521`	`+ {`
	`522`	`+ // This occurs when the external provider has approved the login but custom logic in OnExternalLogin has denined it.`
	`523`	`+ errors.Add($"The user {loginInfo.Principal.Identity.Name} for the external provider {loginInfo.ProviderDisplayName} has not been accepted and cannot sign in.");`
	`524`	`+ }`
`520`	`525`	`else if (result == AutoLinkSignInResult.FailedNotLinked)`
`521`	`526`	`{`
`522`	`527`	`errors.Add("The requested provider (" + loginInfo.LoginProvider + ") has not been linked to an account, the provider must be linked from the back office.");`
Original file line number	Diff line number	Diff line change
`@@ -77,7 +77,8 @@ public async Task<SignInResult> ExternalLoginSignInAsync(ExternalLoginInfo login`
`77`	`77`	`var shouldSignIn = autoLinkOptions.OnExternalLogin(user, loginInfo);`
`78`	`78`	`if (shouldSignIn == false)`
`79`	`79`	`{`
`80`		`- Logger.LogWarning("The AutoLinkOptions of the external authentication provider '{LoginProvider}' have refused the login based on the OnExternalLogin method. Affected user id: '{UserId}'", loginInfo.LoginProvider, user.Id);`
	`80`	`+ LogFailedExternalLogin(loginInfo, user);`
	`81`	`+ return ExternalLoginSignInResult.NotAllowed;`
`81`	`82`	`}`
`82`	`83`	`}`
`83`	`84`
`@@ -192,7 +193,16 @@ private async Task<SignInResult> AutoLinkAndSignInExternalAccount(ExternalLoginI`
`192`	`193`	`return AutoLinkSignInResult.FailedException(ex.Message);`
`193`	`194`	`}`
`194`	`195`
`195`		`- return await LinkUser(autoLinkUser, loginInfo);`
	`196`	`+ var shouldLinkUser = autoLinkOptions.OnExternalLogin == null \|\| autoLinkOptions.OnExternalLogin(autoLinkUser, loginInfo);`
	`197`	`+ if (shouldLinkUser)`
	`198`	`+ {`
	`199`	`+ return await LinkUser(autoLinkUser, loginInfo);`
	`200`	`+ }`
	`201`	`+ else`
	`202`	`+ {`
	`203`	`+ LogFailedExternalLogin(loginInfo, autoLinkUser);`
	`204`	`+ return ExternalLoginSignInResult.NotAllowed;`
	`205`	`+ }`
`196`	`206`	`}`
`197`	`207`	`else`
`198`	`208`	`{`
`@@ -225,7 +235,16 @@ private async Task<SignInResult> AutoLinkAndSignInExternalAccount(ExternalLoginI`
`225`	`235`	`}`
`226`	`236`	`else`
`227`	`237`	`{`
`228`		`- return await LinkUser(autoLinkUser, loginInfo);`
	`238`	`+ var shouldLinkUser = autoLinkOptions.OnExternalLogin == null \|\| autoLinkOptions.OnExternalLogin(autoLinkUser, loginInfo);`
	`239`	`+ if (shouldLinkUser)`
	`240`	`+ {`
	`241`	`+ return await LinkUser(autoLinkUser, loginInfo);`
	`242`	`+ }`
	`243`	`+ else`
	`244`	`+ {`
	`245`	`+ LogFailedExternalLogin(loginInfo, autoLinkUser);`
	`246`	`+ return ExternalLoginSignInResult.NotAllowed;`
	`247`	`+ }`
`229`	`248`	`}`
`230`	`249`	`}`
`231`	`250`	`}`
`@@ -264,5 +283,8 @@ private async Task<SignInResult> LinkUser(BackOfficeIdentityUser autoLinkUser, E`
`264`	`283`	`return AutoLinkSignInResult.FailedLinkingUser(errors);`
`265`	`284`	`}`
`266`	`285`	`}`
	`286`	`+`
	`287`	`+ private void LogFailedExternalLogin(ExternalLoginInfo loginInfo, BackOfficeIdentityUser user) =>`
	`288`	`+ Logger.LogWarning("The AutoLinkOptions of the external authentication provider '{LoginProvider}' have refused the login based on the OnExternalLogin method. Affected user id: '{UserId}'", loginInfo.LoginProvider, user.Id);`
`267`	`289`	`}`
`268`	`290`	`}`