admin/server
1
0
Fork 0
mirror of https://github.com/bitwarden/server.git synced 2026-02-03 23:53:19 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
5a8e5491944f858d6f6eb8fcff0b2b7c0ed37207
server/src/Identity/IdentityServer/CustomTokenRequestValidator.cs

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

227 lines
9.7 KiB
C#
Raw Normal View History

Turn On `ImplicitUsings` (#2079) * Turn on ImplicitUsings * Fix formatting * Run linter
2022-06-29 19:46:41 -04:00
using System.Security.Claims;
[PM-1815] Include Member Decryption Type in Token Response (#2927) * Include Member Decryption Type * Make ICurrentContext protected from base class * Return MemberDecryptionType * Extend WebApplicationFactoryBase - Allow for service subsitution * Create SSO Tests - Mock IAuthorizationCodeStore so the SSO process can be limited to Identity * Add MemberDecryptionOptions * Remove Unused Property Assertion * Make MemberDecryptionOptions an Array * Address PR Feedback * Make HasAdminApproval Policy Aware * Format * Use Object Instead * Add UserDecryptionOptions File
2023-06-19 10:16:15 -04:00
using Bit.Core;
[AC-1145] Add trusted devices option to SSO Config Data (#2909) * [AC-1145] Add TDE feature flag * [AC-1145] Update .gitignore to ignore flags.json in the Api project * [AC-1145] Introduce MemberDecryptionType property on SsoConfigurationData * [AC-1145] Add MemberDecryptionType to the SsoConfigurationDataRequest model * [AC-1145] Automatically enable password reset policy on TDE selection * [AC-1145] Remove references to obsolete KeyConnectorEnabled field * [AC-1145] Formatting * [AC-1145] Update XML doc reference to MemberDecryptionType
2023-05-10 12:52:08 -07:00
using Bit.Core.Auth.Enums;
[PM-1188] Server owner auth migration (#2825) * [PM-1188] add sso project to auth * [PM-1188] move sso api models to auth * [PM-1188] fix sso api model namespace & imports * [PM-1188] move core files to auth * [PM-1188] fix core sso namespace & models * [PM-1188] move sso repository files to auth * [PM-1188] fix sso repo files namespace & imports * [PM-1188] move sso sql files to auth folder * [PM-1188] move sso test files to auth folders * [PM-1188] fix sso tests namespace & imports * [PM-1188] move auth api files to auth folder * [PM-1188] fix auth api files namespace & imports * [PM-1188] move auth core files to auth folder * [PM-1188] fix auth core files namespace & imports * [PM-1188] move auth email templates to auth folder * [PM-1188] move auth email folder back into shared directory * [PM-1188] fix auth email names * [PM-1188] move auth core models to auth folder * [PM-1188] fix auth model namespace & imports * [PM-1188] add entire Identity project to auth codeowners * [PM-1188] fix auth orm files namespace & imports * [PM-1188] move auth orm files to auth folder * [PM-1188] move auth sql files to auth folder * [PM-1188] move auth tests to auth folder * [PM-1188] fix auth test files namespace & imports * [PM-1188] move emergency access api files to auth folder * [PM-1188] fix emergencyaccess api files namespace & imports * [PM-1188] move emergency access core files to auth folder * [PM-1188] fix emergency access core files namespace & imports * [PM-1188] move emergency access orm files to auth folder * [PM-1188] fix emergency access orm files namespace & imports * [PM-1188] move emergency access sql files to auth folder * [PM-1188] move emergencyaccess test files to auth folder * [PM-1188] fix emergency access test files namespace & imports * [PM-1188] move captcha files to auth folder * [PM-1188] fix captcha files namespace & imports * [PM-1188] move auth admin files into auth folder * [PM-1188] fix admin auth files namespace & imports - configure mvc to look in auth folders for views * [PM-1188] remove extra imports and formatting * [PM-1188] fix ef auth model imports * [PM-1188] fix DatabaseContextModelSnapshot paths * [PM-1188] fix grant import in ef * [PM-1188] update sqlproj * [PM-1188] move missed sqlproj files * [PM-1188] move auth ef models out of auth folder * [PM-1188] fix auth ef models namespace * [PM-1188] remove auth ef models unused imports * [PM-1188] fix imports for auth ef models * [PM-1188] fix more ef model imports * [PM-1188] fix file encodings
2023-04-14 13:25:56 -04:00
using Bit.Core.Auth.Identity;
[PM-1815] Include Member Decryption Type in Token Response (#2927) * Include Member Decryption Type * Make ICurrentContext protected from base class * Return MemberDecryptionType * Extend WebApplicationFactoryBase - Allow for service subsitution * Create SSO Tests - Mock IAuthorizationCodeStore so the SSO process can be limited to Identity * Add MemberDecryptionOptions * Remove Unused Property Assertion * Make MemberDecryptionOptions an Array * Address PR Feedback * Make HasAdminApproval Policy Aware * Format * Use Object Instead * Add UserDecryptionOptions File
2023-06-19 10:16:15 -04:00
using Bit.Core.Auth.Models.Api.Response;
Defect/PM-1196 - SSO with Email 2FA Flow - Email Required error fixed (#2874) * PM-1196 - Created first draft solution for solving SSO with Email 2FA serverside. Per architectural review discussion, will be replacing OTP use with expiring tokenable implementation in order to decouple the OTP implementation from the need for an auth factor when arriving on the email 2FA screen post SSO. * PM-1196 - Refactored OTP solution to leverage newly created SsoEmail2faSessionTokenable. Working now but some code cleanup required. Might revisit whether or not we still send down email alongside the token or not to make the SendEmailLoginAsync method more streamlined. * PM-1196 - Send down email separately on token rejection b/c of 2FA required so that 2FA Controller send email login can be refactored to be much cleaner with email required. * PM-1196 - Fix lint issues w/ dotnet format. * PM-1196 - More formatting issue fixes. * PM-1196 - Remove unnecessary check as email is required again on TwoFactorEmailRequestModel * PM-1196 - Update SsoEmail2faSessionTokenable to expire after just over 2 min to match client side auth service expiration of 2 min with small buffer. * PM-1196 - Fix lint issue w/ dotnet format. * PM-1196 - Per PR feedback, move CustomTokenRequestValidator constructor param to new line * PM-1196 - Per PR feedback, update ThrowDelayedBadRequestExceptionAsync to return a task so that it can be awaited and so that the calling code can handle any exceptions that occur during its execution * PM-1196 - Per PR feedback, refactor SsoEmail2faSessionTokenable to leverage TimeSpan vs double for token expiration lifetime.
2023-05-04 15:12:03 -04:00
using Bit.Core.Auth.Models.Business.Tokenables;
[PM-1815] Include Member Decryption Type in Token Response (#2927) * Include Member Decryption Type * Make ICurrentContext protected from base class * Return MemberDecryptionType * Extend WebApplicationFactoryBase - Allow for service subsitution * Create SSO Tests - Mock IAuthorizationCodeStore so the SSO process can be limited to Identity * Add MemberDecryptionOptions * Remove Unused Property Assertion * Make MemberDecryptionOptions an Array * Address PR Feedback * Make HasAdminApproval Policy Aware * Format * Use Object Instead * Add UserDecryptionOptions File
2023-06-19 10:16:15 -04:00
using Bit.Core.Auth.Models.Data;
[PM-1188] Server owner auth migration (#2825) * [PM-1188] add sso project to auth * [PM-1188] move sso api models to auth * [PM-1188] fix sso api model namespace & imports * [PM-1188] move core files to auth * [PM-1188] fix core sso namespace & models * [PM-1188] move sso repository files to auth * [PM-1188] fix sso repo files namespace & imports * [PM-1188] move sso sql files to auth folder * [PM-1188] move sso test files to auth folders * [PM-1188] fix sso tests namespace & imports * [PM-1188] move auth api files to auth folder * [PM-1188] fix auth api files namespace & imports * [PM-1188] move auth core files to auth folder * [PM-1188] fix auth core files namespace & imports * [PM-1188] move auth email templates to auth folder * [PM-1188] move auth email folder back into shared directory * [PM-1188] fix auth email names * [PM-1188] move auth core models to auth folder * [PM-1188] fix auth model namespace & imports * [PM-1188] add entire Identity project to auth codeowners * [PM-1188] fix auth orm files namespace & imports * [PM-1188] move auth orm files to auth folder * [PM-1188] move auth sql files to auth folder * [PM-1188] move auth tests to auth folder * [PM-1188] fix auth test files namespace & imports * [PM-1188] move emergency access api files to auth folder * [PM-1188] fix emergencyaccess api files namespace & imports * [PM-1188] move emergency access core files to auth folder * [PM-1188] fix emergency access core files namespace & imports * [PM-1188] move emergency access orm files to auth folder * [PM-1188] fix emergency access orm files namespace & imports * [PM-1188] move emergency access sql files to auth folder * [PM-1188] move emergencyaccess test files to auth folder * [PM-1188] fix emergency access test files namespace & imports * [PM-1188] move captcha files to auth folder * [PM-1188] fix captcha files namespace & imports * [PM-1188] move auth admin files into auth folder * [PM-1188] fix admin auth files namespace & imports - configure mvc to look in auth folders for views * [PM-1188] remove extra imports and formatting * [PM-1188] fix ef auth model imports * [PM-1188] fix DatabaseContextModelSnapshot paths * [PM-1188] fix grant import in ef * [PM-1188] update sqlproj * [PM-1188] move missed sqlproj files * [PM-1188] move auth ef models out of auth folder * [PM-1188] fix auth ef models namespace * [PM-1188] remove auth ef models unused imports * [PM-1188] fix imports for auth ef models * [PM-1188] fix more ef model imports * [PM-1188] fix file encodings
2023-04-14 13:25:56 -04:00
using Bit.Core.Auth.Repositories;
Add disable send policy (#1130) * Add Disable Send policy * Test DisableSend policy * PR Review * Update tests for using CurrentContext This required making an interface for CurrentContext and mocking out the members used. The interface can be expanded as needed for tests. I moved CurrentContext to a folder, which changes the namespace and causes a lot of file touches, but most are just adding a reference * Fix failing test * Update exemption to include all exempt users * Move all CurrentContext usages to ICurrentContext * PR review. Match messaging with Web
2021-02-04 12:54:21 -06:00
using Bit.Core.Context;
Split out repositories to Infrastructure.Dapper / EntityFramework (#1759)
2022-01-11 10:40:51 +01:00
using Bit.Core.Entities;
[PM-1815] Include Member Decryption Type in Token Response (#2927) * Include Member Decryption Type * Make ICurrentContext protected from base class * Return MemberDecryptionType * Extend WebApplicationFactoryBase - Allow for service subsitution * Create SSO Tests - Mock IAuthorizationCodeStore so the SSO process can be limited to Identity * Add MemberDecryptionOptions * Remove Unused Property Assertion * Make MemberDecryptionOptions an Array * Address PR Feedback * Make HasAdminApproval Policy Aware * Format * Use Object Instead * Add UserDecryptionOptions File
2023-06-19 10:16:15 -04:00
using Bit.Core.Enums;
[SM-394] Secrets Manager (#2164) Long lived feature branch for Secrets Manager Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com> Co-authored-by: cd-bitwarden <106776772+cd-bitwarden@users.noreply.github.com> Co-authored-by: CarleyDiaz-Bitwarden <103955722+CarleyDiaz-Bitwarden@users.noreply.github.com> Co-authored-by: Thomas Avery <tavery@bitwarden.com> Co-authored-by: Colton Hurst <colton@coltonhurst.com>
2023-01-13 15:02:53 +01:00
using Bit.Core.IdentityServer;
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
using Bit.Core.Repositories;
using Bit.Core.Services;
using Bit.Core.Settings;
Defect/PM-1196 - SSO with Email 2FA Flow - Email Required error fixed (#2874) * PM-1196 - Created first draft solution for solving SSO with Email 2FA serverside. Per architectural review discussion, will be replacing OTP use with expiring tokenable implementation in order to decouple the OTP implementation from the need for an auth factor when arriving on the email 2FA screen post SSO. * PM-1196 - Refactored OTP solution to leverage newly created SsoEmail2faSessionTokenable. Working now but some code cleanup required. Might revisit whether or not we still send down email alongside the token or not to make the SendEmailLoginAsync method more streamlined. * PM-1196 - Send down email separately on token rejection b/c of 2FA required so that 2FA Controller send email login can be refactored to be much cleaner with email required. * PM-1196 - Fix lint issues w/ dotnet format. * PM-1196 - More formatting issue fixes. * PM-1196 - Remove unnecessary check as email is required again on TwoFactorEmailRequestModel * PM-1196 - Update SsoEmail2faSessionTokenable to expire after just over 2 min to match client side auth service expiration of 2 min with small buffer. * PM-1196 - Fix lint issue w/ dotnet format. * PM-1196 - Per PR feedback, move CustomTokenRequestValidator constructor param to new line * PM-1196 - Per PR feedback, update ThrowDelayedBadRequestExceptionAsync to return a task so that it can be awaited and so that the calling code can handle any exceptions that occur during its execution * PM-1196 - Per PR feedback, refactor SsoEmail2faSessionTokenable to leverage TimeSpan vs double for token expiration lifetime.
2023-05-04 15:12:03 -04:00
using Bit.Core.Tokens;
Implement User-based API Keys (#981) * added column ApiKey to dbo.User * added dbo.User.ApiKey to User_Update * added dbo.User.ApiKey to User_Create * wrote migration script for implementing dbo.User.ApiKey * Added ApiKey prop to the User table model * Created AccountsController method for getting a user's API Key * Created AccountsController method for rotating a user API key * Added support to ApiClient for passed-through ClientSecrets when the request comes from the cli * Added a new conditional to ClientStore to account for user API keys * Wrote unit tests for new user API Key methods * Added a refresh of dbo.UserView to new migration script for ApiKey * Let client_credentials grants into the custom token logic * Cleanup for ApiKey auth in the CLI feature * Created user API key on registration * Removed uneeded code for user API keys * Changed a .Contains() to a .StartsWith() in ClientStore * Changed index that an array is searched on * Added more claims to the user apikey clients * Moved some claim finding logic to a helper method
2020-11-10 15:15:29 -05:00
using IdentityModel;
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
using IdentityServer4.Extensions;
using IdentityServer4.Validation;
using Microsoft.AspNetCore.Identity;
[PM-1815] Include Member Decryption Type in Token Response (#2927) * Include Member Decryption Type * Make ICurrentContext protected from base class * Return MemberDecryptionType * Extend WebApplicationFactoryBase - Allow for service subsitution * Create SSO Tests - Mock IAuthorizationCodeStore so the SSO process can be limited to Identity * Add MemberDecryptionOptions * Remove Unused Property Assertion * Make MemberDecryptionOptions an Array * Address PR Feedback * Make HasAdminApproval Policy Aware * Format * Use Object Instead * Add UserDecryptionOptions File
2023-06-19 10:16:15 -04:00
#nullable enable
[SM-220] Move identity specific files to identity (#2279)
2022-09-27 18:30:37 +02:00
namespace Bit.Identity.IdentityServer;
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenRequestValidationContext>,
ICustomTokenRequestValidator
{
[PM-1815] Include Member Decryption Type in Token Response (#2927) * Include Member Decryption Type * Make ICurrentContext protected from base class * Return MemberDecryptionType * Extend WebApplicationFactoryBase - Allow for service subsitution * Create SSO Tests - Mock IAuthorizationCodeStore so the SSO process can be limited to Identity * Add MemberDecryptionOptions * Remove Unused Property Assertion * Make MemberDecryptionOptions an Array * Address PR Feedback * Make HasAdminApproval Policy Aware * Format * Use Object Instead * Add UserDecryptionOptions File
2023-06-19 10:16:15 -04:00
private readonly UserManager<User> _userManager;
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
private readonly ISsoConfigRepository _ssoConfigRepository;
[PM-1815] Include Member Decryption Type in Token Response (#2927) * Include Member Decryption Type * Make ICurrentContext protected from base class * Return MemberDecryptionType * Extend WebApplicationFactoryBase - Allow for service subsitution * Create SSO Tests - Mock IAuthorizationCodeStore so the SSO process can be limited to Identity * Add MemberDecryptionOptions * Remove Unused Property Assertion * Make MemberDecryptionOptions an Array * Address PR Feedback * Make HasAdminApproval Policy Aware * Format * Use Object Instead * Add UserDecryptionOptions File
2023-06-19 10:16:15 -04:00
private readonly IFeatureService _featureService;
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
public CustomTokenRequestValidator(
UserManager<User> userManager,
IDeviceRepository deviceRepository,
IDeviceService deviceService,
IUserService userService,
IEventService eventService,
IOrganizationDuoWebTokenProvider organizationDuoWebTokenProvider,
IOrganizationRepository organizationRepository,
IOrganizationUserRepository organizationUserRepository,
IApplicationCacheService applicationCacheService,
IMailService mailService,
[SM-394] Secrets Manager (#2164) Long lived feature branch for Secrets Manager Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com> Co-authored-by: cd-bitwarden <106776772+cd-bitwarden@users.noreply.github.com> Co-authored-by: CarleyDiaz-Bitwarden <103955722+CarleyDiaz-Bitwarden@users.noreply.github.com> Co-authored-by: Thomas Avery <tavery@bitwarden.com> Co-authored-by: Colton Hurst <colton@coltonhurst.com>
2023-01-13 15:02:53 +01:00
ILogger<CustomTokenRequestValidator> logger,
Add disable send policy (#1130) * Add Disable Send policy * Test DisableSend policy * PR Review * Update tests for using CurrentContext This required making an interface for CurrentContext and mocking out the members used. The interface can be expanded as needed for tests. I moved CurrentContext to a folder, which changes the namespace and causes a lot of file touches, but most are just adding a reference * Fix failing test * Update exemption to include all exempt users * Move all CurrentContext usages to ICurrentContext * PR review. Match messaging with Web
2021-02-04 12:54:21 -06:00
ICurrentContext currentContext,
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
GlobalSettings globalSettings,
Add support for crypto agent (#1623)
2021-10-25 15:09:14 +02:00
IPolicyRepository policyRepository,
Add disable send policy (#1130) * Add Disable Send policy * Test DisableSend policy * PR Review * Update tests for using CurrentContext This required making an interface for CurrentContext and mocking out the members used. The interface can be expanded as needed for tests. I moved CurrentContext to a folder, which changes the namespace and causes a lot of file touches, but most are just adding a reference * Fix failing test * Update exemption to include all exempt users * Move all CurrentContext usages to ICurrentContext * PR review. Match messaging with Web
2021-02-04 12:54:21 -06:00
ISsoConfigRepository ssoConfigRepository,
[AC-1070] Enforce master password policy on login (#2714) * [EC-1070] Add API endpoint to retrieve all policies for the current user The additional API endpoint is required to avoid forcing a full sync call before every login for master password policy enforcement on login. * [EC-1070] Add MasterPasswordPolicyData model * [EC-1070] Move PolicyResponseModel to Core project The response model is used by both the Identity and Api projects. * [EC-1070] Supply master password polices as a custom identity token response * [EC-1070] Include master password policies in 2FA token response * [EC-1070] Add response model to verify-password endpoint that includes master password policies * [AC-1070] Introduce MasterPasswordPolicyResponseModel * [AC-1070] Add policy service method to retrieve a user's master password policy * [AC-1070] User new policy service method - Update BaseRequestValidator - Update AccountsController for /verify-password endpoint - Update VerifyMasterPasswordResponseModel to accept MasterPasswordPolicyData * [AC-1070] Cleanup new policy service method - Use User object instead of Guid - Remove TODO message - Use `PolicyRepository.GetManyByTypeApplicableToUserIdAsync` instead of filtering locally * [AC-1070] Cleanup MasterPasswordPolicy models - Remove default values from both models - Add missing `RequireLower` - Fix mismatched properties in `CombineWith` method - Make properties nullable in response model * [AC-1070] Remove now un-used GET /policies endpoint * [AC-1070] Update policy service method to use GetManyByUserIdAsync * [AC-1070] Ensure existing value is not null before comparison * [AC-1070] Remove redundant VerifyMasterPasswordResponse model * [AC-1070] Fix service typo in constructor
2023-04-17 07:35:47 -07:00
IUserRepository userRepository,
Defect/PM-1196 - SSO with Email 2FA Flow - Email Required error fixed (#2874) * PM-1196 - Created first draft solution for solving SSO with Email 2FA serverside. Per architectural review discussion, will be replacing OTP use with expiring tokenable implementation in order to decouple the OTP implementation from the need for an auth factor when arriving on the email 2FA screen post SSO. * PM-1196 - Refactored OTP solution to leverage newly created SsoEmail2faSessionTokenable. Working now but some code cleanup required. Might revisit whether or not we still send down email alongside the token or not to make the SendEmailLoginAsync method more streamlined. * PM-1196 - Send down email separately on token rejection b/c of 2FA required so that 2FA Controller send email login can be refactored to be much cleaner with email required. * PM-1196 - Fix lint issues w/ dotnet format. * PM-1196 - More formatting issue fixes. * PM-1196 - Remove unnecessary check as email is required again on TwoFactorEmailRequestModel * PM-1196 - Update SsoEmail2faSessionTokenable to expire after just over 2 min to match client side auth service expiration of 2 min with small buffer. * PM-1196 - Fix lint issue w/ dotnet format. * PM-1196 - Per PR feedback, move CustomTokenRequestValidator constructor param to new line * PM-1196 - Per PR feedback, update ThrowDelayedBadRequestExceptionAsync to return a task so that it can be awaited and so that the calling code can handle any exceptions that occur during its execution * PM-1196 - Per PR feedback, refactor SsoEmail2faSessionTokenable to leverage TimeSpan vs double for token expiration lifetime.
2023-05-04 15:12:03 -04:00
IPolicyService policyService,
[PM-1815] Include Member Decryption Type in Token Response (#2927) * Include Member Decryption Type * Make ICurrentContext protected from base class * Return MemberDecryptionType * Extend WebApplicationFactoryBase - Allow for service subsitution * Create SSO Tests - Mock IAuthorizationCodeStore so the SSO process can be limited to Identity * Add MemberDecryptionOptions * Remove Unused Property Assertion * Make MemberDecryptionOptions an Array * Address PR Feedback * Make HasAdminApproval Policy Aware * Format * Use Object Instead * Add UserDecryptionOptions File
2023-06-19 10:16:15 -04:00
IDataProtectorTokenFactory<SsoEmail2faSessionTokenable> tokenDataFactory,
IFeatureService featureService)
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
: base(userManager, deviceRepository, deviceService, userService, eventService,
Defect/PM-1196 - SSO with Email 2FA Flow - Email Required error fixed (#2874) * PM-1196 - Created first draft solution for solving SSO with Email 2FA serverside. Per architectural review discussion, will be replacing OTP use with expiring tokenable implementation in order to decouple the OTP implementation from the need for an auth factor when arriving on the email 2FA screen post SSO. * PM-1196 - Refactored OTP solution to leverage newly created SsoEmail2faSessionTokenable. Working now but some code cleanup required. Might revisit whether or not we still send down email alongside the token or not to make the SendEmailLoginAsync method more streamlined. * PM-1196 - Send down email separately on token rejection b/c of 2FA required so that 2FA Controller send email login can be refactored to be much cleaner with email required. * PM-1196 - Fix lint issues w/ dotnet format. * PM-1196 - More formatting issue fixes. * PM-1196 - Remove unnecessary check as email is required again on TwoFactorEmailRequestModel * PM-1196 - Update SsoEmail2faSessionTokenable to expire after just over 2 min to match client side auth service expiration of 2 min with small buffer. * PM-1196 - Fix lint issue w/ dotnet format. * PM-1196 - Per PR feedback, move CustomTokenRequestValidator constructor param to new line * PM-1196 - Per PR feedback, update ThrowDelayedBadRequestExceptionAsync to return a task so that it can be awaited and so that the calling code can handle any exceptions that occur during its execution * PM-1196 - Per PR feedback, refactor SsoEmail2faSessionTokenable to leverage TimeSpan vs double for token expiration lifetime.
2023-05-04 15:12:03 -04:00
organizationDuoWebTokenProvider, organizationRepository, organizationUserRepository,
applicationCacheService, mailService, logger, currentContext, globalSettings, policyRepository,
userRepository, policyService, tokenDataFactory)
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
{
_userManager = userManager;
Add support for crypto agent (#1623)
2021-10-25 15:09:14 +02:00
_ssoConfigRepository = ssoConfigRepository;
[PM-1815] Include Member Decryption Type in Token Response (#2927) * Include Member Decryption Type * Make ICurrentContext protected from base class * Return MemberDecryptionType * Extend WebApplicationFactoryBase - Allow for service subsitution * Create SSO Tests - Mock IAuthorizationCodeStore so the SSO process can be limited to Identity * Add MemberDecryptionOptions * Remove Unused Property Assertion * Make MemberDecryptionOptions an Array * Address PR Feedback * Make HasAdminApproval Policy Aware * Format * Use Object Instead * Add UserDecryptionOptions File
2023-06-19 10:16:15 -04:00
_featureService = featureService;
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
}
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
public async Task ValidateAsync(CustomTokenRequestValidationContext context)
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
{
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
string[] allowedGrantTypes = { "authorization_code", "client_credentials" };
Add disable send policy (#1130) * Add Disable Send policy * Test DisableSend policy * PR Review * Update tests for using CurrentContext This required making an interface for CurrentContext and mocking out the members used. The interface can be expanded as needed for tests. I moved CurrentContext to a folder, which changes the namespace and causes a lot of file touches, but most are just adding a reference * Fix failing test * Update exemption to include all exempt users * Move all CurrentContext usages to ICurrentContext * PR review. Match messaging with Web
2021-02-04 12:54:21 -06:00
if (!allowedGrantTypes.Contains(context.Result.ValidatedRequest.GrantType)
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
|| context.Result.ValidatedRequest.ClientId.StartsWith("organization")
[SG-419] Fix problems with push notifications on self-host (#2338) * Added "internal" to non-user-based request types to avoid failing validation. * Added handling of unsuccessful response so that JSON parsing eror doesn't occur. * Added logging for token errors. (cherry picked from commit dad143b3e42247bc6b397b60803e25d243bd83a5) * Fixed bug in next auth attempt handling. * Fixed linting. * Added deserialization options to handle case insensitivity. * Added a new method for SendAsync that does not expect a result from the client. * hasJsonResult param to make Send more reusable * some cleanup * fix lint problems * Added launch config for Notifications. * Added Notifications to Full Server config. Co-authored-by: Kyle Spearrin <kyle.spearrin@gmail.com>
2022-11-01 09:58:28 -04:00
|| context.Result.ValidatedRequest.ClientId.StartsWith("installation")
[SM-394] Secrets Manager (#2164) Long lived feature branch for Secrets Manager Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com> Co-authored-by: cd-bitwarden <106776772+cd-bitwarden@users.noreply.github.com> Co-authored-by: CarleyDiaz-Bitwarden <103955722+CarleyDiaz-Bitwarden@users.noreply.github.com> Co-authored-by: Thomas Avery <tavery@bitwarden.com> Co-authored-by: Colton Hurst <colton@coltonhurst.com>
2023-01-13 15:02:53 +01:00
|| context.Result.ValidatedRequest.ClientId.StartsWith("internal")
|| context.Result.ValidatedRequest.Client.AllowedScopes.Contains(ApiScopes.ApiSecrets))
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
{
[SM-394] Secrets Manager (#2164) Long lived feature branch for Secrets Manager Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com> Co-authored-by: cd-bitwarden <106776772+cd-bitwarden@users.noreply.github.com> Co-authored-by: CarleyDiaz-Bitwarden <103955722+CarleyDiaz-Bitwarden@users.noreply.github.com> Co-authored-by: Thomas Avery <tavery@bitwarden.com> Co-authored-by: Colton Hurst <colton@coltonhurst.com>
2023-01-13 15:02:53 +01:00
if (context.Result.ValidatedRequest.Client.Properties.TryGetValue("encryptedPayload", out var payload) &&
!string.IsNullOrWhiteSpace(payload))
{
context.Result.CustomResponse = new Dictionary<string, object> { { "encrypted_payload", payload } };
}
Add support for crypto agent (#1623)
2021-10-25 15:09:14 +02:00
return;
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
}
[SM-394] Secrets Manager (#2164) Long lived feature branch for Secrets Manager Co-authored-by: Thomas Avery <43214426+Thomas-Avery@users.noreply.github.com> Co-authored-by: cd-bitwarden <106776772+cd-bitwarden@users.noreply.github.com> Co-authored-by: CarleyDiaz-Bitwarden <103955722+CarleyDiaz-Bitwarden@users.noreply.github.com> Co-authored-by: Thomas Avery <tavery@bitwarden.com> Co-authored-by: Colton Hurst <colton@coltonhurst.com>
2023-01-13 15:02:53 +01:00
captcha scores (#1967) * captcha scores * some api fixes * check bot on captcha attribute * Update src/Core/Services/Implementations/HCaptchaValidationService.cs Co-authored-by: e271828- <e271828-@users.noreply.github.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: e271828- <e271828-@users.noreply.github.com>
2022-05-09 12:25:13 -04:00
await ValidateAsync(context, context.Result.ValidatedRequest,
new CustomValidatorRequestContext { KnownDevice = true });
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
}
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
protected async override Task<bool> ValidateContextAsync(CustomTokenRequestValidationContext context,
CustomValidatorRequestContext validatorContext)
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
{
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
var email = context.Result.ValidatedRequest.Subject?.GetDisplayName()
Defect/PM-1196 - SSO with Email 2FA Flow - Email Required error fixed (#2874) * PM-1196 - Created first draft solution for solving SSO with Email 2FA serverside. Per architectural review discussion, will be replacing OTP use with expiring tokenable implementation in order to decouple the OTP implementation from the need for an auth factor when arriving on the email 2FA screen post SSO. * PM-1196 - Refactored OTP solution to leverage newly created SsoEmail2faSessionTokenable. Working now but some code cleanup required. Might revisit whether or not we still send down email alongside the token or not to make the SendEmailLoginAsync method more streamlined. * PM-1196 - Send down email separately on token rejection b/c of 2FA required so that 2FA Controller send email login can be refactored to be much cleaner with email required. * PM-1196 - Fix lint issues w/ dotnet format. * PM-1196 - More formatting issue fixes. * PM-1196 - Remove unnecessary check as email is required again on TwoFactorEmailRequestModel * PM-1196 - Update SsoEmail2faSessionTokenable to expire after just over 2 min to match client side auth service expiration of 2 min with small buffer. * PM-1196 - Fix lint issue w/ dotnet format. * PM-1196 - Per PR feedback, move CustomTokenRequestValidator constructor param to new line * PM-1196 - Per PR feedback, update ThrowDelayedBadRequestExceptionAsync to return a task so that it can be awaited and so that the calling code can handle any exceptions that occur during its execution * PM-1196 - Per PR feedback, refactor SsoEmail2faSessionTokenable to leverage TimeSpan vs double for token expiration lifetime.
2023-05-04 15:12:03 -04:00
?? context.Result.ValidatedRequest.ClientClaims
?.FirstOrDefault(claim => claim.Type == JwtClaimTypes.Email)?.Value;
Performed some null checks (#991)
2020-11-13 08:53:36 -05:00
if (!string.IsNullOrWhiteSpace(email))
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
{
captcha scores (#1967) * captcha scores * some api fixes * check bot on captcha attribute * Update src/Core/Services/Implementations/HCaptchaValidationService.cs Co-authored-by: e271828- <e271828-@users.noreply.github.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: e271828- <e271828-@users.noreply.github.com>
2022-05-09 12:25:13 -04:00
validatorContext.User = await _userManager.FindByEmailAsync(email);
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
}
Defect/PM-1196 - SSO with Email 2FA Flow - Email Required error fixed (#2874) * PM-1196 - Created first draft solution for solving SSO with Email 2FA serverside. Per architectural review discussion, will be replacing OTP use with expiring tokenable implementation in order to decouple the OTP implementation from the need for an auth factor when arriving on the email 2FA screen post SSO. * PM-1196 - Refactored OTP solution to leverage newly created SsoEmail2faSessionTokenable. Working now but some code cleanup required. Might revisit whether or not we still send down email alongside the token or not to make the SendEmailLoginAsync method more streamlined. * PM-1196 - Send down email separately on token rejection b/c of 2FA required so that 2FA Controller send email login can be refactored to be much cleaner with email required. * PM-1196 - Fix lint issues w/ dotnet format. * PM-1196 - More formatting issue fixes. * PM-1196 - Remove unnecessary check as email is required again on TwoFactorEmailRequestModel * PM-1196 - Update SsoEmail2faSessionTokenable to expire after just over 2 min to match client side auth service expiration of 2 min with small buffer. * PM-1196 - Fix lint issue w/ dotnet format. * PM-1196 - Per PR feedback, move CustomTokenRequestValidator constructor param to new line * PM-1196 - Per PR feedback, update ThrowDelayedBadRequestExceptionAsync to return a task so that it can be awaited and so that the calling code can handle any exceptions that occur during its execution * PM-1196 - Per PR feedback, refactor SsoEmail2faSessionTokenable to leverage TimeSpan vs double for token expiration lifetime.
2023-05-04 15:12:03 -04:00
captcha scores (#1967) * captcha scores * some api fixes * check bot on captcha attribute * Update src/Core/Services/Implementations/HCaptchaValidationService.cs Co-authored-by: e271828- <e271828-@users.noreply.github.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: e271828- <e271828-@users.noreply.github.com>
2022-05-09 12:25:13 -04:00
return validatorContext.User != null;
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
}
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
captcha scores (#1967) * captcha scores * some api fixes * check bot on captcha attribute * Update src/Core/Services/Implementations/HCaptchaValidationService.cs Co-authored-by: e271828- <e271828-@users.noreply.github.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: e271828- <e271828-@users.noreply.github.com>
2022-05-09 12:25:13 -04:00
protected override async Task SetSuccessResult(CustomTokenRequestValidationContext context, User user,
List<Claim> claims, Dictionary<string, object> customResponse)
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
{
captcha scores (#1967) * captcha scores * some api fixes * check bot on captcha attribute * Update src/Core/Services/Implementations/HCaptchaValidationService.cs Co-authored-by: e271828- <e271828-@users.noreply.github.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: e271828- <e271828-@users.noreply.github.com>
2022-05-09 12:25:13 -04:00
context.Result.CustomResponse = customResponse;
if (claims?.Any() ?? false)
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
{
Implement User-based API Keys (#981) * added column ApiKey to dbo.User * added dbo.User.ApiKey to User_Update * added dbo.User.ApiKey to User_Create * wrote migration script for implementing dbo.User.ApiKey * Added ApiKey prop to the User table model * Created AccountsController method for getting a user's API Key * Created AccountsController method for rotating a user API key * Added support to ApiClient for passed-through ClientSecrets when the request comes from the cli * Added a new conditional to ClientStore to account for user API keys * Wrote unit tests for new user API Key methods * Added a refresh of dbo.UserView to new migration script for ApiKey * Let client_credentials grants into the custom token logic * Cleanup for ApiKey auth in the CLI feature * Created user API key on registration * Removed uneeded code for user API keys * Changed a .Contains() to a .StartsWith() in ClientStore * Changed index that an array is searched on * Added more claims to the user apikey clients * Moved some claim finding logic to a helper method
2020-11-10 15:15:29 -05:00
context.Result.ValidatedRequest.Client.AlwaysSendClientClaims = true;
Performed some null checks (#991)
2020-11-13 08:53:36 -05:00
context.Result.ValidatedRequest.Client.ClientClaimsPrefix = string.Empty;
foreach (var claim in claims)
captcha scores (#1967) * captcha scores * some api fixes * check bot on captcha attribute * Update src/Core/Services/Implementations/HCaptchaValidationService.cs Co-authored-by: e271828- <e271828-@users.noreply.github.com> Co-authored-by: Chad Scharf <3904944+cscharf@users.noreply.github.com> Co-authored-by: e271828- <e271828-@users.noreply.github.com>
2022-05-09 12:25:13 -04:00
{
context.Result.ValidatedRequest.ClientClaims.Add(claim);
}
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
}
[PM-1815] Include Member Decryption Type in Token Response (#2927) * Include Member Decryption Type * Make ICurrentContext protected from base class * Return MemberDecryptionType * Extend WebApplicationFactoryBase - Allow for service subsitution * Create SSO Tests - Mock IAuthorizationCodeStore so the SSO process can be limited to Identity * Add MemberDecryptionOptions * Remove Unused Property Assertion * Make MemberDecryptionOptions an Array * Address PR Feedback * Make HasAdminApproval Policy Aware * Format * Use Object Instead * Add UserDecryptionOptions File
2023-06-19 10:16:15 -04:00
// Attempts to find ssoConfigData for a given validate request subject
// this is actually guarenteed to pretty often be null, because more than just sso login requests will come
// through here
var ssoConfigData = await GetSsoConfigurationDataAsync(context.Result.ValidatedRequest.Subject);
// You can't put this below the user.MasterPassword != null check because TDE users can still have a MasterPassword
// It's worth noting that CurrentContext here will build a user in LaunchDarkly that is anonymous but DOES belong
// to an organization. So we will not be able to turn this feature on for only a single user, only for an entire
// organization at a time.
if (ssoConfigData != null && _featureService.IsEnabled(FeatureFlagKeys.TrustedDeviceEncryption, CurrentContext))
{
context.Result.CustomResponse["UserDecryptionOptions"] = await CreateUserDecryptionOptionsAsync(ssoConfigData, user);
}
Add support for Key Connector OTP and account migration (#1663) Co-authored-by: Thomas Rittson <trittson@bitwarden.com>
2021-11-09 16:37:32 +01:00
if (context.Result.CustomResponse == null || user.MasterPassword != null)
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
{
Add support for Key Connector OTP and account migration (#1663) Co-authored-by: Thomas Rittson <trittson@bitwarden.com>
2021-11-09 16:37:32 +01:00
return;
}
// KeyConnector responses below
// Apikey login
if (context.Result.ValidatedRequest.GrantType == "client_credentials")
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
{
Add support for Key Connector OTP and account migration (#1663) Co-authored-by: Thomas Rittson <trittson@bitwarden.com>
2021-11-09 16:37:32 +01:00
if (user.UsesKeyConnector)
Revert filescoped (#2227) * Revert "Add git blame entry (#2226)" This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d. * Revert "Turn on file scoped namespaces (#2225)" This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
2022-08-29 15:53:48 -04:00
{
Add support for Key Connector OTP and account migration (#1663) Co-authored-by: Thomas Rittson <trittson@bitwarden.com>
2021-11-09 16:37:32 +01:00
// KeyConnectorUrl is configured in the CLI client, we just need to tell the client to use it
context.Result.CustomResponse["ApiUseKeyConnector"] = true;
context.Result.CustomResponse["ResetMasterPassword"] = false;
Revert filescoped (#2227) * Revert "Add git blame entry (#2226)" This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d. * Revert "Turn on file scoped namespaces (#2225)" This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
2022-08-29 15:53:48 -04:00
}
Defect/PM-1196 - SSO with Email 2FA Flow - Email Required error fixed (#2874) * PM-1196 - Created first draft solution for solving SSO with Email 2FA serverside. Per architectural review discussion, will be replacing OTP use with expiring tokenable implementation in order to decouple the OTP implementation from the need for an auth factor when arriving on the email 2FA screen post SSO. * PM-1196 - Refactored OTP solution to leverage newly created SsoEmail2faSessionTokenable. Working now but some code cleanup required. Might revisit whether or not we still send down email alongside the token or not to make the SendEmailLoginAsync method more streamlined. * PM-1196 - Send down email separately on token rejection b/c of 2FA required so that 2FA Controller send email login can be refactored to be much cleaner with email required. * PM-1196 - Fix lint issues w/ dotnet format. * PM-1196 - More formatting issue fixes. * PM-1196 - Remove unnecessary check as email is required again on TwoFactorEmailRequestModel * PM-1196 - Update SsoEmail2faSessionTokenable to expire after just over 2 min to match client side auth service expiration of 2 min with small buffer. * PM-1196 - Fix lint issue w/ dotnet format. * PM-1196 - Per PR feedback, move CustomTokenRequestValidator constructor param to new line * PM-1196 - Per PR feedback, update ThrowDelayedBadRequestExceptionAsync to return a task so that it can be awaited and so that the calling code can handle any exceptions that occur during its execution * PM-1196 - Per PR feedback, refactor SsoEmail2faSessionTokenable to leverage TimeSpan vs double for token expiration lifetime.
2023-05-04 15:12:03 -04:00
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
return;
}
Add support for Key Connector OTP and account migration (#1663) Co-authored-by: Thomas Rittson <trittson@bitwarden.com>
2021-11-09 16:37:32 +01:00
Key Connector feature toggle (#1716)
2021-11-17 11:46:35 +01:00
// SSO login
[PM-1815] Include Member Decryption Type in Token Response (#2927) * Include Member Decryption Type * Make ICurrentContext protected from base class * Return MemberDecryptionType * Extend WebApplicationFactoryBase - Allow for service subsitution * Create SSO Tests - Mock IAuthorizationCodeStore so the SSO process can be limited to Identity * Add MemberDecryptionOptions * Remove Unused Property Assertion * Make MemberDecryptionOptions an Array * Address PR Feedback * Make HasAdminApproval Policy Aware * Format * Use Object Instead * Add UserDecryptionOptions File
2023-06-19 10:16:15 -04:00
// This does a double check, that ssoConfigData is not null and that it has the KeyConnector member decryption type
if (ssoConfigData is { MemberDecryptionType: MemberDecryptionType.KeyConnector } && !string.IsNullOrEmpty(ssoConfigData.KeyConnectorUrl))
Add support for Key Connector OTP and account migration (#1663) Co-authored-by: Thomas Rittson <trittson@bitwarden.com>
2021-11-09 16:37:32 +01:00
{
[PM-1815] Include Member Decryption Type in Token Response (#2927) * Include Member Decryption Type * Make ICurrentContext protected from base class * Return MemberDecryptionType * Extend WebApplicationFactoryBase - Allow for service subsitution * Create SSO Tests - Mock IAuthorizationCodeStore so the SSO process can be limited to Identity * Add MemberDecryptionOptions * Remove Unused Property Assertion * Make MemberDecryptionOptions an Array * Address PR Feedback * Make HasAdminApproval Policy Aware * Format * Use Object Instead * Add UserDecryptionOptions File
2023-06-19 10:16:15 -04:00
// TODO: Can be removed in the future
context.Result.CustomResponse["KeyConnectorUrl"] = ssoConfigData.KeyConnectorUrl;
// Prevent clients redirecting to set-password
context.Result.CustomResponse["ResetMasterPassword"] = false;
}
}
Revert filescoped (#2227) * Revert "Add git blame entry (#2226)" This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d. * Revert "Turn on file scoped namespaces (#2225)" This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
2022-08-29 15:53:48 -04:00
[PM-1815] Include Member Decryption Type in Token Response (#2927) * Include Member Decryption Type * Make ICurrentContext protected from base class * Return MemberDecryptionType * Extend WebApplicationFactoryBase - Allow for service subsitution * Create SSO Tests - Mock IAuthorizationCodeStore so the SSO process can be limited to Identity * Add MemberDecryptionOptions * Remove Unused Property Assertion * Make MemberDecryptionOptions an Array * Address PR Feedback * Make HasAdminApproval Policy Aware * Format * Use Object Instead * Add UserDecryptionOptions File
2023-06-19 10:16:15 -04:00
private async Task<SsoConfigurationData?> GetSsoConfigurationDataAsync(ClaimsPrincipal? subject)
{
var organizationClaim = subject?.FindFirstValue("organizationId");
Revert filescoped (#2227) * Revert "Add git blame entry (#2226)" This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d. * Revert "Turn on file scoped namespaces (#2225)" This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
2022-08-29 15:53:48 -04:00
[PM-1815] Include Member Decryption Type in Token Response (#2927) * Include Member Decryption Type * Make ICurrentContext protected from base class * Return MemberDecryptionType * Extend WebApplicationFactoryBase - Allow for service subsitution * Create SSO Tests - Mock IAuthorizationCodeStore so the SSO process can be limited to Identity * Add MemberDecryptionOptions * Remove Unused Property Assertion * Make MemberDecryptionOptions an Array * Address PR Feedback * Make HasAdminApproval Policy Aware * Format * Use Object Instead * Add UserDecryptionOptions File
2023-06-19 10:16:15 -04:00
if (organizationClaim == null || !Guid.TryParse(organizationClaim, out var organizationId))
{
return null;
}
var ssoConfig = await _ssoConfigRepository.GetByOrganizationIdAsync(organizationId);
if (ssoConfig == null)
{
return null;
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
}
[PM-1815] Include Member Decryption Type in Token Response (#2927) * Include Member Decryption Type * Make ICurrentContext protected from base class * Return MemberDecryptionType * Extend WebApplicationFactoryBase - Allow for service subsitution * Create SSO Tests - Mock IAuthorizationCodeStore so the SSO process can be limited to Identity * Add MemberDecryptionOptions * Remove Unused Property Assertion * Make MemberDecryptionOptions an Array * Address PR Feedback * Make HasAdminApproval Policy Aware * Format * Use Object Instead * Add UserDecryptionOptions File
2023-06-19 10:16:15 -04:00
return ssoConfig.GetData();
Run formatting (#2230)
2022-08-29 16:06:55 -04:00
}
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
protected override void SetTwoFactorResult(CustomTokenRequestValidationContext context,
Dictionary<string, object> customResponse)
{
context.Result.Error = "invalid_grant";
context.Result.ErrorDescription = "Two factor required.";
context.Result.IsError = true;
context.Result.CustomResponse = customResponse;
}
[Require SSO] Enterprise policy enforcement (#970) * Initial commit of require sso authentication policy enforcement * Updated sproc to send UseSso flag // Updated base validator to send back error message // Added changes to EntityFramework (just so its there for the future * Update policy name // adjusted conditional to demorgan's * Updated sproc // Added migrator script * Added .sql file extension to DeleteOrgUserWithOrg migrator script * Added policy // edit // strings // validation to business portal * Change requests from review // Added Owner & Admin exemption * Updated repository function used to get org user's type * Updated with requested changes
2020-10-26 11:56:16 -05:00
protected override void SetSsoResult(CustomTokenRequestValidationContext context,
Fix skip sso for apikey login (#1308) * Improve mixing SSO login error * Skip SSO requirement for API key logins * Bypass MFA for apikey logins
2021-05-10 11:13:37 -05:00
Dictionary<string, object> customResponse)
{
context.Result.Error = "invalid_grant";
context.Result.ErrorDescription = "Single Sign on required.";
context.Result.IsError = true;
context.Result.CustomResponse = customResponse;
}
[Require SSO] Enterprise policy enforcement (#970) * Initial commit of require sso authentication policy enforcement * Updated sproc to send UseSso flag // Updated base validator to send back error message // Added changes to EntityFramework (just so its there for the future * Update policy name // adjusted conditional to demorgan's * Updated sproc // Added migrator script * Added .sql file extension to DeleteOrgUserWithOrg migrator script * Added policy // edit // strings // validation to business portal * Change requests from review // Added Owner & Admin exemption * Updated repository function used to get org user's type * Updated with requested changes
2020-10-26 11:56:16 -05:00
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
protected override void SetErrorResult(CustomTokenRequestValidationContext context,
Dictionary<string, object> customResponse)
{
context.Result.Error = "invalid_grant";
context.Result.IsError = true;
context.Result.CustomResponse = customResponse;
}
[PM-1815] Include Member Decryption Type in Token Response (#2927) * Include Member Decryption Type * Make ICurrentContext protected from base class * Return MemberDecryptionType * Extend WebApplicationFactoryBase - Allow for service subsitution * Create SSO Tests - Mock IAuthorizationCodeStore so the SSO process can be limited to Identity * Add MemberDecryptionOptions * Remove Unused Property Assertion * Make MemberDecryptionOptions an Array * Address PR Feedback * Make HasAdminApproval Policy Aware * Format * Use Object Instead * Add UserDecryptionOptions File
2023-06-19 10:16:15 -04:00
/// <summary>
/// Used to create a list of all possible ways the newly authenticated user can decrypt their vault contents
/// </summary>
private async Task<UserDecryptionOptions> CreateUserDecryptionOptionsAsync(SsoConfigurationData ssoConfigurationData, User user)
{
var userDecryptionOption = new UserDecryptionOptions();
if (ssoConfigurationData is { MemberDecryptionType: MemberDecryptionType.KeyConnector } && !string.IsNullOrEmpty(ssoConfigurationData.KeyConnectorUrl))
{
// KeyConnector makes it mutually exclusive
userDecryptionOption.KeyConnectorOption = new KeyConnectorUserDecryptionOption(ssoConfigurationData.KeyConnectorUrl);
return userDecryptionOption;
}
if (ssoConfigurationData is { MemberDecryptionType: MemberDecryptionType.TrustedDeviceEncryption })
{
var hasAdminApproval = await PolicyService.AnyPoliciesApplicableToUserAsync(user.Id, PolicyType.ResetPassword);
// TrustedDeviceEncryption only exists for SSO, but if that ever changes this value won't always be true
userDecryptionOption.TrustedDeviceOption = new TrustedDeviceUserDecryptionOption(hasAdminApproval);
}
userDecryptionOption.HasMasterPassword = !string.IsNullOrEmpty(user.MasterPassword);
return userDecryptionOption;
}
sso integrations (#822) * stub out hybrid sso * support for PKCE authorization_code clients * sso service urls * sso client key * abstract request validator * support for verifying password * custom AuthorizationCodeStore that does not remove codes * cleanup * comment * created master password * ResetMasterPassword * rename Sso client to OidcIdentity * update env builder * bitwarden sso project in docker-compose * sso path in nginx config
2020-07-16 08:01:39 -04:00
}
Reference in New Issue Copy Permalink