src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs

using System.Collections.Generic;
using System.Security.Claims;
using System.Threading.Tasks;
using Bit.Core.Context;
using Bit.Core.Entities;
using Bit.Core.Identity;
using Bit.Core.Repositories;
using Bit.Core.Services;
using Bit.Core.Settings;
using Bit.Core.Utilities;
using IdentityServer4.Models;
using IdentityServer4.Validation;
using Microsoft.AspNetCore.Identity;
using Microsoft.Extensions.Logging;

namespace Bit.Core.IdentityServer
{
    public class ResourceOwnerPasswordValidator : BaseRequestValidator<ResourceOwnerPasswordValidationContext>,
        IResourceOwnerPasswordValidator
    {
        private UserManager<User> _userManager;
        private readonly IUserService _userService;
        private readonly ICurrentContext _currentContext;
        private readonly ICaptchaValidationService _captchaValidationService;
        public ResourceOwnerPasswordValidator(
            UserManager<User> userManager,
            IDeviceRepository deviceRepository,
            IDeviceService deviceService,
            IUserService userService,
            IEventService eventService,
            IOrganizationDuoWebTokenProvider organizationDuoWebTokenProvider,
            IOrganizationRepository organizationRepository,
            IOrganizationUserRepository organizationUserRepository,
            IApplicationCacheService applicationCacheService,
            IMailService mailService,
            ILogger<ResourceOwnerPasswordValidator> logger,
            ICurrentContext currentContext,
            GlobalSettings globalSettings,
            IPolicyRepository policyRepository,
            ICaptchaValidationService captchaValidationService)
            : base(userManager, deviceRepository, deviceService, userService, eventService,
                  organizationDuoWebTokenProvider, organizationRepository, organizationUserRepository,
                  applicationCacheService, mailService, logger, currentContext, globalSettings, policyRepository)
        {
            _userManager = userManager;
            _userService = userService;
            _currentContext = currentContext;
            _captchaValidationService = captchaValidationService;
        }

        public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
        {
            if (!AuthEmailHeaderIsValid(context))
            {
                context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant,
                    "Auth-Email header invalid.");
                return;
            }

            string bypassToken = null;
            var user = await _userManager.FindByEmailAsync(context.UserName.ToLowerInvariant());
            var unknownDevice = !await KnownDeviceAsync(user, context.Request);
            if (unknownDevice && _captchaValidationService.RequireCaptchaValidation(_currentContext))
            {
                var captchaResponse = context.Request.Raw["captchaResponse"]?.ToString();

                if (string.IsNullOrWhiteSpace(captchaResponse))
                {
                    context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Captcha required.",
                        new Dictionary<string, object> {
                            { _captchaValidationService.SiteKeyResponseKeyName, _captchaValidationService.SiteKey },
                        });
                    return;
                }

                var captchaValid = _captchaValidationService.ValidateCaptchaBypassToken(captchaResponse, user) ||
                    await _captchaValidationService.ValidateCaptchaResponseAsync(captchaResponse, _currentContext.IpAddress);
                if (!captchaValid)
                {
                    await BuildErrorResultAsync("Captcha is invalid. Please refresh and try again", false, context, null);
                    return;
                }
                bypassToken = _captchaValidationService.GenerateCaptchaBypassToken(user);
            }

            await ValidateAsync(context, context.Request);
            if (context.Result.CustomResponse != null && bypassToken != null)
            {
                context.Result.CustomResponse["CaptchaBypassToken"] = bypassToken;
            }
        }

        protected async override Task<(User, bool)> ValidateContextAsync(ResourceOwnerPasswordValidationContext context)
        {
            if (string.IsNullOrWhiteSpace(context.UserName))
            {
                return (null, false);
            }

            var user = await _userManager.FindByEmailAsync(context.UserName.ToLowerInvariant());
            if (user == null || !await _userService.CheckPasswordAsync(user, context.Password))
            {
                return (user, false);
            }

            return (user, true);
        }

        protected override Task SetSuccessResult(ResourceOwnerPasswordValidationContext context, User user,
            List<Claim> claims, Dictionary<string, object> customResponse)
        {
            context.Result = new GrantValidationResult(user.Id.ToString(), "Application",
                identityProvider: "bitwarden",
                claims: claims.Count > 0 ? claims : null,
                customResponse: customResponse);
            return Task.CompletedTask;
        }

        protected override void SetTwoFactorResult(ResourceOwnerPasswordValidationContext context,
            Dictionary<string, object> customResponse)
        {
            context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Two factor required.",
                customResponse);
        }

        protected override void SetSsoResult(ResourceOwnerPasswordValidationContext context,
            Dictionary<string, object> customResponse)
        {
            context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Sso authentication required.",
                customResponse);
        }

        protected override void SetErrorResult(ResourceOwnerPasswordValidationContext context,
            Dictionary<string, object> customResponse)
        {
            context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, customResponse: customResponse);
        }

        private bool AuthEmailHeaderIsValid(ResourceOwnerPasswordValidationContext context)
        {
            if (!_currentContext.HttpContext.Request.Headers.ContainsKey("Auth-Email"))
            {
                return false;
            }
            else
            {
                try
                {
                    var authEmailHeader = _currentContext.HttpContext.Request.Headers["Auth-Email"];
                    var authEmailDecoded = CoreHelpers.Base64UrlDecodeString(authEmailHeader);

                    if (authEmailDecoded != context.UserName)
                    {
                        return false;
                    }
                }
                catch (System.Exception e) when (e is System.InvalidOperationException || e is System.FormatException)
                {
                    // Invalid B64 encoding
                    return false;
                }
            }

            return true;
        }
    }
}
-												validate old auth bearer tokens so that we can generate new identity ones

											
										
										
											2017-01-21 23:12:28 -05:00
+								using System.Collections.Generic;
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								using System.Security.Claims;
 								using System.Threading.Tasks;
-												Add disable send policy (#1130)

* Add Disable Send policy

* Test DisableSend policy

* PR Review

* Update tests for using CurrentContext

This required making an interface for CurrentContext and mocking out
the members used. The interface can be expanded as needed for tests.

I moved CurrentContext to a folder, which changes the namespace
and causes a lot of file touches, but most are just adding a reference

* Fix failing test

* Update exemption to include all exempt users

* Move all CurrentContext usages to ICurrentContext

* PR review. Match messaging with Web
											
										
										
											2021-02-04 12:54:21 -06:00
+								using Bit.Core.Context;
-												Split out repositories to Infrastructure.Dapper / EntityFramework (#1759)


											
										
										
											2022-01-11 10:40:51 +01:00
+								using Bit.Core.Entities;
-												added org duo to 2fa flow

											
										
										
											2018-04-03 14:31:33 -04:00
+								using Bit.Core.Identity;
-												Two factor and device handling on identity token validation

											
										
										
											2017-01-18 00:14:28 -05:00
+								using Bit.Core.Repositories;
-												notification hub push registration service

											
										
										
											2017-05-26 00:50:27 -04:00
+								using Bit.Core.Services;
-												Use sas token for attachment downloads (#1153)

* Get limited life attachment download URL

This change limits url download to a 1min lifetime.
This requires moving to a new container to allow for non-public blob
access.

Clients will have to call GetAttachmentData api function to receive the download
URL. For backwards compatibility, attachment URLs are still present, but will not
work for attachments stored in non-public access blobs.

* Make GlobalSettings interface for testing

* Test LocalAttachmentStorageService equivalence

* Remove comment

* Add missing globalSettings using

* Simplify default attachment container

* Default to attachments containe for existing methods

A new upload method will be made for uploading to attachments-v2.
For compatibility for clients which don't use these new methods, we need
to still use the old container. The new container will be used only for
new uploads

* Remove Default MetaData fixture.

* Keep attachments container blob-level security for all instances

* Close unclosed FileStream

* Favor default value for noop services
											
										
										
											2021-02-22 15:35:16 -06:00
+								using Bit.Core.Settings;
-												Use UrlB64 encoding for auth-email header (#1503)


											
										
										
											2021-08-11 06:21:46 +10:00
+								using Bit.Core.Utilities;
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								using IdentityServer4.Models;
 								using IdentityServer4.Validation;
 								using Microsoft.AspNetCore.Identity;
-												login failed log message

											
										
										
											2019-11-22 07:30:32 -05:00
+								using Microsoft.Extensions.Logging;
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
-												move identityserver libs into core

											
										
										
											2017-05-05 16:11:50 -04:00
+								namespace Bit.Core.IdentityServer
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								{
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								    public class ResourceOwnerPasswordValidator : BaseRequestValidator<ResourceOwnerPasswordValidationContext>,
 								        IResourceOwnerPasswordValidator
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								    {
-												validate old auth bearer tokens so that we can generate new identity ones

											
										
										
											2017-01-21 23:12:28 -05:00
+								        private UserManager<User> _userManager;
-												verify all 2fa methods

											
										
										
											2017-06-20 14:50:12 -04:00
+								        private readonly IUserService _userService;
-												commented code to validate auth-email header (#1361)

* commented code to validate auth-email header

* format comment more
											
										
										
											2021-05-28 16:04:58 -04:00
+								        private readonly ICurrentContext _currentContext;
-												hcaptcha validation on password login (#1398)


											
										
										
											2021-06-16 12:47:41 -04:00
+								        private readonly ICaptchaValidationService _captchaValidationService;
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								        public ResourceOwnerPasswordValidator(
-												Moved identity implementations to scoped lifetime since they have dependencies on CurrentContext

											
										
										
											2017-01-25 22:31:14 -05:00
+								            UserManager<User> userManager,
-												notification hub push registration service

											
										
										
											2017-05-26 00:50:27 -04:00
+								            IDeviceRepository deviceRepository,
-												verify all 2fa methods

											
										
										
											2017-06-20 14:50:12 -04:00
+								            IDeviceService deviceService,
-												log user events

											
										
										
											2017-12-01 10:07:14 -05:00
+								            IUserService userService,
-												added org duo to 2fa flow

											
										
										
											2018-04-03 14:31:33 -04:00
+								            IEventService eventService,
 								            IOrganizationDuoWebTokenProvider organizationDuoWebTokenProvider,
 								            IOrganizationRepository organizationRepository,
 								            IOrganizationUserRepository organizationUserRepository,
 								            IApplicationCacheService applicationCacheService,
-												new device logged in email notification

											
										
										
											2019-01-24 22:37:49 -05:00
+								            IMailService mailService,
-												login failed log message

											
										
										
											2019-11-22 07:30:32 -05:00
+								            ILogger<ResourceOwnerPasswordValidator> logger,
-												Add disable send policy (#1130)

* Add Disable Send policy

* Test DisableSend policy

* PR Review

* Update tests for using CurrentContext

This required making an interface for CurrentContext and mocking out
the members used. The interface can be expanded as needed for tests.

I moved CurrentContext to a folder, which changes the namespace
and causes a lot of file touches, but most are just adding a reference

* Fix failing test

* Update exemption to include all exempt users

* Move all CurrentContext usages to ICurrentContext

* PR review. Match messaging with Web
											
										
										
											2021-02-04 12:54:21 -06:00
+								            ICurrentContext currentContext,
-												[Require SSO] Enterprise policy enforcement (#970)

* Initial commit of require sso authentication policy enforcement

* Updated sproc to send UseSso flag // Updated base validator to send back error message // Added changes to EntityFramework (just so its there for the future

* Update policy name // adjusted conditional to demorgan's

* Updated sproc // Added migrator script

* Added .sql file extension to DeleteOrgUserWithOrg migrator script

* Added policy // edit // strings // validation to business portal

* Change requests from review // Added Owner & Admin exemption

* Updated repository function used to get org user's type

* Updated with requested changes
											
										
										
											2020-10-26 11:56:16 -05:00
+								            GlobalSettings globalSettings,
-												hcaptcha validation on password login (#1398)


											
										
										
											2021-06-16 12:47:41 -04:00
+								            IPolicyRepository policyRepository,
 								            ICaptchaValidationService captchaValidationService)
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								            : base(userManager, deviceRepository, deviceService, userService, eventService,
 								                  organizationDuoWebTokenProvider, organizationRepository, organizationUserRepository,
-												[Require SSO] Enterprise policy enforcement (#970)

* Initial commit of require sso authentication policy enforcement

* Updated sproc to send UseSso flag // Updated base validator to send back error message // Added changes to EntityFramework (just so its there for the future

* Update policy name // adjusted conditional to demorgan's

* Updated sproc // Added migrator script

* Added .sql file extension to DeleteOrgUserWithOrg migrator script

* Added policy // edit // strings // validation to business portal

* Change requests from review // Added Owner & Admin exemption

* Updated repository function used to get org user's type

* Updated with requested changes
											
										
										
											2020-10-26 11:56:16 -05:00
+								                  applicationCacheService, mailService, logger, currentContext, globalSettings, policyRepository)
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								        {
-												Moved identity implementations to scoped lifetime since they have dependencies on CurrentContext

											
										
										
											2017-01-25 22:31:14 -05:00
+								            _userManager = userManager;
-												verify all 2fa methods

											
										
										
											2017-06-20 14:50:12 -04:00
+								            _userService = userService;
-												commented code to validate auth-email header (#1361)

* commented code to validate auth-email header

* format comment more
											
										
										
											2021-05-28 16:04:58 -04:00
+								            _currentContext = currentContext;
-												hcaptcha validation on password login (#1398)


											
										
										
											2021-06-16 12:47:41 -04:00
+								            _captchaValidationService = captchaValidationService;
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								        }
 								        public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
 								        {
-												uncomment to require auth-email header (#1604)


											
										
										
											2021-09-30 11:24:29 -04:00
+								            if (!AuthEmailHeaderIsValid(context))
 								            {
 								                context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant,
 								                    "Auth-Email header invalid.");
 								                return;
 								            }
-												hcaptcha validation on password login (#1398)


											
										
										
											2021-06-16 12:47:41 -04:00
-												Feature/sync Enable hcaptcha on login (#1469)

* Share globalSettings hcaptcha public key with clients

* Require captcha valid only prior to two factor

users with two factor will have already solved captcha is necessary.
Users without two factor will have`TwoFactorVerified` set to false

* Do not require CaptchaResponse on two-factor requests

* Add option to always require captcha for testing purposes

* Allow for self-hosted instances if they want to use it

* Move refresh suggestion to correct error

* Expect lifetime in helper method

* Add captcha bypass token to successful captcha validations

* Remove twofactorValidated

* PR Feedback
											
										
										
											2021-07-21 13:42:06 -05:00
+								            string bypassToken = null;
-												Allow bypass of captcha token if the device is known (#1626)


											
										
										
											2021-10-08 18:59:35 -05:00
+								            var user = await _userManager.FindByEmailAsync(context.UserName.ToLowerInvariant());
 								            var unknownDevice = !await KnownDeviceAsync(user, context.Request);
-												Remove erroneous not (#1629)


											
										
										
											2021-10-11 09:53:19 -05:00
+								            if (unknownDevice && _captchaValidationService.RequireCaptchaValidation(_currentContext))
-												hcaptcha validation on password login (#1398)


											
										
										
											2021-06-16 12:47:41 -04:00
+								            {
-												Feature/sync Enable hcaptcha on login (#1469)

* Share globalSettings hcaptcha public key with clients

* Require captcha valid only prior to two factor

users with two factor will have already solved captcha is necessary.
Users without two factor will have`TwoFactorVerified` set to false

* Do not require CaptchaResponse on two-factor requests

* Add option to always require captcha for testing purposes

* Allow for self-hosted instances if they want to use it

* Move refresh suggestion to correct error

* Expect lifetime in helper method

* Add captcha bypass token to successful captcha validations

* Remove twofactorValidated

* PR Feedback
											
										
										
											2021-07-21 13:42:06 -05:00
+								                var captchaResponse = context.Request.Raw["captchaResponse"]?.ToString();
-												hcaptcha validation on password login (#1398)


											
										
										
											2021-06-16 12:47:41 -04:00
+								                if (string.IsNullOrWhiteSpace(captchaResponse))
 								                {
-												Feature/sync Enable hcaptcha on login (#1469)

* Share globalSettings hcaptcha public key with clients

* Require captcha valid only prior to two factor

users with two factor will have already solved captcha is necessary.
Users without two factor will have`TwoFactorVerified` set to false

* Do not require CaptchaResponse on two-factor requests

* Add option to always require captcha for testing purposes

* Allow for self-hosted instances if they want to use it

* Move refresh suggestion to correct error

* Expect lifetime in helper method

* Add captcha bypass token to successful captcha validations

* Remove twofactorValidated

* PR Feedback
											
										
										
											2021-07-21 13:42:06 -05:00
+								                    context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Captcha required.",
 								                        new Dictionary<string, object> {
-												Protect user registration with captcha (#1480)

* Protect user registration with captcha

* PR feedback
											
										
										
											2021-07-22 12:29:06 -05:00
+								                            { _captchaValidationService.SiteKeyResponseKeyName, _captchaValidationService.SiteKey },
-												Feature/sync Enable hcaptcha on login (#1469)

* Share globalSettings hcaptcha public key with clients

* Require captcha valid only prior to two factor

users with two factor will have already solved captcha is necessary.
Users without two factor will have`TwoFactorVerified` set to false

* Do not require CaptchaResponse on two-factor requests

* Add option to always require captcha for testing purposes

* Allow for self-hosted instances if they want to use it

* Move refresh suggestion to correct error

* Expect lifetime in helper method

* Add captcha bypass token to successful captcha validations

* Remove twofactorValidated

* PR Feedback
											
										
										
											2021-07-21 13:42:06 -05:00
+								                        });
-												hcaptcha validation on password login (#1398)


											
										
										
											2021-06-16 12:47:41 -04:00
+								                    return;
 								                }
-												Feature/sync Enable hcaptcha on login (#1469)

* Share globalSettings hcaptcha public key with clients

* Require captcha valid only prior to two factor

users with two factor will have already solved captcha is necessary.
Users without two factor will have`TwoFactorVerified` set to false

* Do not require CaptchaResponse on two-factor requests

* Add option to always require captcha for testing purposes

* Allow for self-hosted instances if they want to use it

* Move refresh suggestion to correct error

* Expect lifetime in helper method

* Add captcha bypass token to successful captcha validations

* Remove twofactorValidated

* PR Feedback
											
										
										
											2021-07-21 13:42:06 -05:00
+								                var captchaValid = _captchaValidationService.ValidateCaptchaBypassToken(captchaResponse, user) ||
 								                    await _captchaValidationService.ValidateCaptchaResponseAsync(captchaResponse, _currentContext.IpAddress);
-												hcaptcha validation on password login (#1398)


											
										
										
											2021-06-16 12:47:41 -04:00
+								                if (!captchaValid)
 								                {
-												Feature/sync Enable hcaptcha on login (#1469)

* Share globalSettings hcaptcha public key with clients

* Require captcha valid only prior to two factor

users with two factor will have already solved captcha is necessary.
Users without two factor will have`TwoFactorVerified` set to false

* Do not require CaptchaResponse on two-factor requests

* Add option to always require captcha for testing purposes

* Allow for self-hosted instances if they want to use it

* Move refresh suggestion to correct error

* Expect lifetime in helper method

* Add captcha bypass token to successful captcha validations

* Remove twofactorValidated

* PR Feedback
											
										
										
											2021-07-21 13:42:06 -05:00
+								                    await BuildErrorResultAsync("Captcha is invalid. Please refresh and try again", false, context, null);
-												hcaptcha validation on password login (#1398)


											
										
										
											2021-06-16 12:47:41 -04:00
+								                    return;
 								                }
-												Feature/sync Enable hcaptcha on login (#1469)

* Share globalSettings hcaptcha public key with clients

* Require captcha valid only prior to two factor

users with two factor will have already solved captcha is necessary.
Users without two factor will have`TwoFactorVerified` set to false

* Do not require CaptchaResponse on two-factor requests

* Add option to always require captcha for testing purposes

* Allow for self-hosted instances if they want to use it

* Move refresh suggestion to correct error

* Expect lifetime in helper method

* Add captcha bypass token to successful captcha validations

* Remove twofactorValidated

* PR Feedback
											
										
										
											2021-07-21 13:42:06 -05:00
+								                bypassToken = _captchaValidationService.GenerateCaptchaBypassToken(user);
-												hcaptcha validation on password login (#1398)


											
										
										
											2021-06-16 12:47:41 -04:00
+								            }
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								            await ValidateAsync(context, context.Request);
-												Feature/sync Enable hcaptcha on login (#1469)

* Share globalSettings hcaptcha public key with clients

* Require captcha valid only prior to two factor

users with two factor will have already solved captcha is necessary.
Users without two factor will have`TwoFactorVerified` set to false

* Do not require CaptchaResponse on two-factor requests

* Add option to always require captcha for testing purposes

* Allow for self-hosted instances if they want to use it

* Move refresh suggestion to correct error

* Expect lifetime in helper method

* Add captcha bypass token to successful captcha validations

* Remove twofactorValidated

* PR Feedback
											
										
										
											2021-07-21 13:42:06 -05:00
+								            if (context.Result.CustomResponse != null && bypassToken != null)
 								            {
 								                context.Result.CustomResponse["CaptchaBypassToken"] = bypassToken;
 								            }
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								        }
-												Two factor and device handling on identity token validation

											
										
										
											2017-01-18 00:14:28 -05:00
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								        protected async override Task<(User, bool)> ValidateContextAsync(ResourceOwnerPasswordValidationContext context)
 								        {
-												Changed all C# control flow block statements to include space between keyword and open paren

											
										
										
											2020-03-27 14:36:37 -04:00
+								            if (string.IsNullOrWhiteSpace(context.UserName))
-												validate old auth bearer tokens so that we can generate new identity ones

											
										
										
											2017-01-21 23:12:28 -05:00
+								            {
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								                return (null, false);
-												refactored logic around remember me token

											
										
										
											2017-08-15 08:19:20 -04:00
+								            }
 								            var user = await _userManager.FindByEmailAsync(context.UserName.ToLowerInvariant());
-												Changed all C# control flow block statements to include space between keyword and open paren

											
										
										
											2020-03-27 14:36:37 -04:00
+								            if (user == null || !await _userService.CheckPasswordAsync(user, context.Password))
-												refactored logic around remember me token

											
										
										
											2017-08-15 08:19:20 -04:00
+								            {
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								                return (user, false);
-												refactored logic around remember me token

											
										
										
											2017-08-15 08:19:20 -04:00
+								            }
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								            return (user, true);
-												Two factor and device handling on identity token validation

											
										
										
											2017-01-18 00:14:28 -05:00
+								        }
-												Add support for Key Connector OTP and account migration (#1663)

Co-authored-by: Thomas Rittson <trittson@bitwarden.com>
											
										
										
											2021-11-09 16:37:32 +01:00
+								        protected override Task SetSuccessResult(ResourceOwnerPasswordValidationContext context, User user,
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								            List<Claim> claims, Dictionary<string, object> customResponse)
-												validate old auth bearer tokens so that we can generate new identity ones

											
										
										
											2017-01-21 23:12:28 -05:00
+								        {
-												public and private keys added to db and user domain. added account APIs got getting and putting keys.

											
										
										
											2017-02-11 23:00:55 -05:00
+								            context.Result = new GrantValidationResult(user.Id.ToString(), "Application",
 								                identityProvider: "bitwarden",
 								                claims: claims.Count > 0 ? claims : null,
-												return share information with cipher API response

											
										
										
											2017-02-21 22:52:02 -05:00
+								                customResponse: customResponse);
-												Add support for Key Connector OTP and account migration (#1663)

Co-authored-by: Thomas Rittson <trittson@bitwarden.com>
											
										
										
											2021-11-09 16:37:32 +01:00
+								            return Task.CompletedTask;
-												validate old auth bearer tokens so that we can generate new identity ones

											
										
										
											2017-01-21 23:12:28 -05:00
+								        }
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								        protected override void SetTwoFactorResult(ResourceOwnerPasswordValidationContext context,
 								            Dictionary<string, object> customResponse)
-												cleanup ResourceOwnerPasswordValidator

											
										
										
											2017-01-25 00:28:18 -05:00
+								        {
 								            context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Two factor required.",
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								                customResponse);
-												cleanup ResourceOwnerPasswordValidator

											
										
										
											2017-01-25 00:28:18 -05:00
+								        }
-												[Require SSO] Enterprise policy enforcement (#970)

* Initial commit of require sso authentication policy enforcement

* Updated sproc to send UseSso flag // Updated base validator to send back error message // Added changes to EntityFramework (just so its there for the future

* Update policy name // adjusted conditional to demorgan's

* Updated sproc // Added migrator script

* Added .sql file extension to DeleteOrgUserWithOrg migrator script

* Added policy // edit // strings // validation to business portal

* Change requests from review // Added Owner & Admin exemption

* Updated repository function used to get org user's type

* Updated with requested changes
											
										
										
											2020-10-26 11:56:16 -05:00
+								        protected override void SetSsoResult(ResourceOwnerPasswordValidationContext context,
 								            Dictionary<string, object> customResponse)
 								        {
 								            context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Sso authentication required.",
 								                customResponse);
 								        }
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								        protected override void SetErrorResult(ResourceOwnerPasswordValidationContext context,
 								            Dictionary<string, object> customResponse)
-												Two factor and device handling on identity token validation

											
										
										
											2017-01-18 00:14:28 -05:00
+								        {
-												sso integrations (#822)

* stub out hybrid sso

* support for PKCE authorization_code clients

* sso service urls

* sso client key

* abstract request validator

* support for verifying password

* custom AuthorizationCodeStore that does not remove codes

* cleanup

* comment

* created master password

* ResetMasterPassword

* rename Sso client to OidcIdentity

* update env builder

* bitwarden sso project in docker-compose

* sso path in nginx config
											
										
										
											2020-07-16 08:01:39 -04:00
+								            context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, customResponse: customResponse);
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								        }
-												Use UrlB64 encoding for auth-email header (#1503)


											
										
										
											2021-08-11 06:21:46 +10:00
 								        private bool AuthEmailHeaderIsValid(ResourceOwnerPasswordValidationContext context)
 								        {
 								            if (!_currentContext.HttpContext.Request.Headers.ContainsKey("Auth-Email"))
 								            {
 								                return false;
 								            }
 								            else
 								            {
 								                try
 								                {
 								                    var authEmailHeader = _currentContext.HttpContext.Request.Headers["Auth-Email"];
 								                    var authEmailDecoded = CoreHelpers.Base64UrlDecodeString(authEmailHeader);
 								                    if (authEmailDecoded != context.UserName)
 								                    {
 								                        return false;
 								                    }
 								                }
 								                catch (System.Exception e) when (e is System.InvalidOperationException || e is System.FormatException)
 								                {
 								                    // Invalid B64 encoding
 								                    return false;
 								                }
 								            }
 								            return true;
 								        }
-												WIP: Added IdentityServer4 to API via Bearer2 auth scheme

											
										
										
											2017-01-11 00:34:16 -05:00
+								    }
 								}