src/Identity/IdentityServer/ApiClient.cs

// FIXME: Update this file to be null safe and then delete the line below
#nullable disable

using Bit.Core.Settings;
using Bit.Identity.IdentityServer.RequestValidators;
using Duende.IdentityServer.Models;

namespace Bit.Identity.IdentityServer;

public class ApiClient : Client
{
    public ApiClient(
        GlobalSettings globalSettings,
        string id,
        int refreshTokenSlidingDays,
        int accessTokenLifetimeHours,
        string[] scopes = null)
    {
        ClientId = id;
        AllowedGrantTypes = new[] { GrantType.ResourceOwnerPassword, GrantType.AuthorizationCode, WebAuthnGrantValidator.GrantType };

        // Use global setting: false = Sliding (default), true = Absolute
        RefreshTokenExpiration = globalSettings.IdentityServer.ApplyAbsoluteExpirationOnRefreshToken
            ? TokenExpiration.Absolute
            : TokenExpiration.Sliding;

        RefreshTokenUsage = TokenUsage.ReUse;

        // Use global setting if provided, otherwise use constructor parameter
        SlidingRefreshTokenLifetime = globalSettings.IdentityServer.SlidingRefreshTokenLifetimeSeconds ?? (86400 * refreshTokenSlidingDays);
        AbsoluteRefreshTokenLifetime = globalSettings.IdentityServer.AbsoluteRefreshTokenLifetimeSeconds ?? 0; // forever

        UpdateAccessTokenClaimsOnRefresh = true;
        AccessTokenLifetime = 3600 * accessTokenLifetimeHours;
        AllowOfflineAccess = true;

        RequireConsent = false;
        RequirePkce = true;
        RequireClientSecret = false;
        if (id == "web")
        {
            RedirectUris = new[] { $"{globalSettings.BaseServiceUri.Vault}/sso-connector.html" };
            PostLogoutRedirectUris = new[] { globalSettings.BaseServiceUri.Vault };
            AllowedCorsOrigins = new[] { globalSettings.BaseServiceUri.Vault };
        }
        else if (id == "desktop")
        {
            var desktopUris = new List<string>();
            desktopUris.Add("bitwarden://sso-callback");
            for (var port = 8065; port <= 8070; port++)
            {
                desktopUris.Add(string.Format("http://localhost:{0}", port));
            }
            RedirectUris = desktopUris;
            PostLogoutRedirectUris = new[] { "bitwarden://logged-out" };
        }
        else if (id == "connector")
        {
            var connectorUris = new List<string>();
            for (var port = 8065; port <= 8070; port++)
            {
                connectorUris.Add(string.Format("http://localhost:{0}", port));
            }
            RedirectUris = connectorUris.Append("bwdc://sso-callback").ToList();
            PostLogoutRedirectUris = connectorUris.Append("bwdc://logged-out").ToList();
        }
        else if (id == "browser")
        {
            RedirectUris = new[] { $"{globalSettings.BaseServiceUri.Vault}/sso-connector.html" };
            PostLogoutRedirectUris = new[] { globalSettings.BaseServiceUri.Vault };
            AllowedCorsOrigins = new[] { globalSettings.BaseServiceUri.Vault };
        }
        else if (id == "cli")
        {
            var cliUris = new List<string>();
            for (var port = 8065; port <= 8070; port++)
            {
                cliUris.Add(string.Format("http://localhost:{0}", port));
            }
            RedirectUris = cliUris;
            PostLogoutRedirectUris = cliUris;
        }
        else if (id == "mobile")
        {
            RedirectUris = new[] { "bitwarden://sso-callback" };
            PostLogoutRedirectUris = new[] { "bitwarden://logged-out" };
        }

        if (scopes == null)
        {
            scopes = new string[] { "api" };
        }
        AllowedScopes = scopes;
    }
}
-												Add `#nullable disable` to auth code (#6055)


											
										
										
											2025-07-08 10:25:41 -04:00
+								// FIXME: Update this file to be null safe and then delete the line below
 								#nullable disable
 								using Bit.Core.Settings;
-												[PM-6666] Two factor Validator refactor (#4894)

* initial device removal

* Unit Testing

* Finalized tests

* initial commit refactoring two factor

* initial tests

* Unit Tests

* initial device removal

* Unit Testing

* Finalized tests

* initial commit refactoring two factor

* initial tests

* Unit Tests

* Fixing some tests

* renaming and reorganizing

* refactored two factor flows

* fixed a possible issue with object mapping.

* Update TwoFactorAuthenticationValidator.cs

removed unused code
											
										
										
											2024-10-24 10:41:25 -07:00
+								using Bit.Identity.IdentityServer.RequestValidators;
-												[PM-3569] Upgrade to Duende.Identity (#3185)

* Upgrade to Duende.Identity

* Linting

* Get rid of last IdentityServer4 package

* Fix identity test since Duende returns additional configuration

* Use Configure

PostConfigure is ran after ASP.NET's PostConfigure
so ConfigurationManager was already configured and our HttpHandler wasn't
being respected.

* Regenerate lockfiles

* Move to 6.0.4 for patches

* fixes with testing

* Add additional grant type supported in 6.0.4 and beautify

* Lockfile refresh

* Reapply lockfiles

* Apply change to new WebAuthn logic

* When automated merging fails me

---------

Co-authored-by: Justin Baur <19896123+justindbaur@users.noreply.github.com>
Co-authored-by: Kyle Spearrin <kyle.spearrin@gmail.com>
											
										
										
											2023-11-20 16:32:23 -05:00
+								using Duende.IdentityServer.Models;
-												Added static client store (#899)


											
										
										
											2020-08-28 13:32:15 -04:00
-												[SM-220] Move identity specific files to identity (#2279)


											
										
										
											2022-09-27 18:30:37 +02:00
+								namespace Bit.Identity.IdentityServer;
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
-												Added static client store (#899)


											
										
										
											2020-08-28 13:32:15 -04:00
+								public class ApiClient : Client
 								{
 								    public ApiClient(
 								        GlobalSettings globalSettings,
 								        string id,
 								        int refreshTokenSlidingDays,
 								        int accessTokenLifetimeHours,
 								        string[] scopes = null)
 								    {
 								        ClientId = id;
-												[PM-2032] Server endpoints to support authentication with a passkey (#3361)

* [PM-2032] feat: add assertion options tokenable

* [PM-2032] feat: add request and response models

* [PM-2032] feat: implement `assertion-options` identity endpoint

* [PM-2032] feat: implement authentication with passkey

* [PM-2032] chore: rename to `WebAuthnGrantValidator`

* [PM-2032] fix: add missing subsitute

* [PM-2032] feat: start adding builder

* [PM-2032] feat: add support for KeyConnector

* [PM-2032] feat: add first version of TDE

* [PM-2032] chore: refactor WithSso

* [PM-2023] feat: add support for TDE feature flag

* [PM-2023] feat: add support for approving devices

* [PM-2023] feat: add support for hasManageResetPasswordPermission

* [PM-2032] feat: add support for hasAdminApproval

* [PM-2032] chore: don't supply device if not necessary

* [PM-2032] chore: clean up imports

* [PM-2023] feat: extract interface

* [PM-2023] chore: add clarifying comment

* [PM-2023] feat: use new builder in production code

* [PM-2032] feat: add support for PRF

* [PM-2032] chore: clean-up todos

* [PM-2023] chore: remove token which is no longer used

* [PM-2032] chore: remove todo

* [PM-2032] feat: improve assertion error handling

* [PM-2032] fix: linting issues

* [PM-2032] fix: revert changes to `launchSettings.json`

* [PM-2023] chore: clean up assertion endpoint

* [PM-2032] feat: bypass 2FA

* [PM-2032] fix: rename prf option to singular

* [PM-2032] fix: lint

* [PM-2032] fix: typo

* [PM-2032] chore: improve builder tests

Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>

* [PM-2032] chore: clarify why we don't require 2FA

* [PM-2023] feat: move `identityProvider` constant to common class

* [PM-2032] fix: lint

* [PM-2023] fix: move `IdentityProvider` to core.Constants

* [PM-2032] fix: missing import

* [PM-2032] chore: refactor token timespan to use `TimeSpan`

* [PM-2032] chore: make `StartWebAuthnLoginAssertion` sync

* [PM-2032] chore: use `FromMinutes`

* [PM-2032] fix: change to 17 minutes to cover webauthn assertion

* [PM-2032] chore: do not use `async void`

* [PM-2032] fix: comment saying wrong amount of minutes

* [PM-2032] feat: put validator behind feature flag

* [PM-2032] fix: lint

---------

Co-authored-by: Jared Snider <116684653+JaredSnider-Bitwarden@users.noreply.github.com>
											
										
										
											2023-11-20 15:55:31 +01:00
+								        AllowedGrantTypes = new[] { GrantType.ResourceOwnerPassword, GrantType.AuthorizationCode, WebAuthnGrantValidator.GrantType };
-												[PM-25381] Add env variables for controlling refresh token lifetimes (#6276)

* add env variables for controlling refresh token lifetimes

* fix whitespace

* added setting for adjusting refresh token expiration policy

* format
											
										
										
											2025-09-09 12:30:58 -07:00
 								        // Use global setting: false = Sliding (default), true = Absolute
-												fix(global-settings): [PM-26092] Token Refresh Doc Enhancement (#6367)

* fix(global-settings): [PM-26092] Token Refresh Doc Enhancement - Enhanced documentation and wording for token refresh.
											
										
										
											2025-09-24 18:23:15 -04:00
+								        RefreshTokenExpiration = globalSettings.IdentityServer.ApplyAbsoluteExpirationOnRefreshToken
-												[PM-25381] Add env variables for controlling refresh token lifetimes (#6276)

* add env variables for controlling refresh token lifetimes

* fix whitespace

* added setting for adjusting refresh token expiration policy

* format
											
										
										
											2025-09-09 12:30:58 -07:00
+								            ? TokenExpiration.Absolute
 								            : TokenExpiration.Sliding;
-												Added static client store (#899)


											
										
										
											2020-08-28 13:32:15 -04:00
+								        RefreshTokenUsage = TokenUsage.ReUse;
-												[PM-25381] Add env variables for controlling refresh token lifetimes (#6276)

* add env variables for controlling refresh token lifetimes

* fix whitespace

* added setting for adjusting refresh token expiration policy

* format
											
										
										
											2025-09-09 12:30:58 -07:00
 								        // Use global setting if provided, otherwise use constructor parameter
 								        SlidingRefreshTokenLifetime = globalSettings.IdentityServer.SlidingRefreshTokenLifetimeSeconds ?? (86400 * refreshTokenSlidingDays);
 								        AbsoluteRefreshTokenLifetime = globalSettings.IdentityServer.AbsoluteRefreshTokenLifetimeSeconds ?? 0; // forever
-												Added static client store (#899)


											
										
										
											2020-08-28 13:32:15 -04:00
+								        UpdateAccessTokenClaimsOnRefresh = true;
 								        AccessTokenLifetime = 3600 * accessTokenLifetimeHours;
 								        AllowOfflineAccess = true;
-												Revert filescoped (#2227)

* Revert "Add git blame entry (#2226)"

This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d.

* Revert "Turn on file scoped namespaces (#2225)"

This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
											
										
										
											2022-08-29 15:53:48 -04:00
-												Added static client store (#899)


											
										
										
											2020-08-28 13:32:15 -04:00
+								        RequireConsent = false;
 								        RequirePkce = true;
 								        RequireClientSecret = false;
 								        if (id == "web")
 								        {
 								            RedirectUris = new[] { $"{globalSettings.BaseServiceUri.Vault}/sso-connector.html" };
 								            PostLogoutRedirectUris = new[] { globalSettings.BaseServiceUri.Vault };
 								            AllowedCorsOrigins = new[] { globalSettings.BaseServiceUri.Vault };
 								        }
 								        else if (id == "desktop")
 								        {
-												Allow localhost callback on desktop (#4649)


											
										
										
											2024-08-26 15:11:48 +02:00
+								            var desktopUris = new List<string>();
 								            desktopUris.Add("bitwarden://sso-callback");
 								            for (var port = 8065; port <= 8070; port++)
 								            {
 								                desktopUris.Add(string.Format("http://localhost:{0}", port));
 								            }
 								            RedirectUris = desktopUris;
-												Added static client store (#899)


											
										
										
											2020-08-28 13:32:15 -04:00
+								            PostLogoutRedirectUris = new[] { "bitwarden://logged-out" };
-												Revert filescoped (#2227)

* Revert "Add git blame entry (#2226)"

This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d.

* Revert "Turn on file scoped namespaces (#2225)"

This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
											
										
										
											2022-08-29 15:53:48 -04:00
+								        }
-												Added static client store (#899)


											
										
										
											2020-08-28 13:32:15 -04:00
+								        else if (id == "connector")
-												Revert filescoped (#2227)

* Revert "Add git blame entry (#2226)"

This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d.

* Revert "Turn on file scoped namespaces (#2225)"

This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
											
										
										
											2022-08-29 15:53:48 -04:00
+								        {
-												Added static client store (#899)


											
										
										
											2020-08-28 13:32:15 -04:00
+								            var connectorUris = new List<string>();
 								            for (var port = 8065; port <= 8070; port++)
-												Revert filescoped (#2227)

* Revert "Add git blame entry (#2226)"

This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d.

* Revert "Turn on file scoped namespaces (#2225)"

This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
											
										
										
											2022-08-29 15:53:48 -04:00
+								            {
-												Added static client store (#899)


											
										
										
											2020-08-28 13:32:15 -04:00
+								                connectorUris.Add(string.Format("http://localhost:{0}", port));
-												Revert filescoped (#2227)

* Revert "Add git blame entry (#2226)"

This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d.

* Revert "Turn on file scoped namespaces (#2225)"

This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
											
										
										
											2022-08-29 15:53:48 -04:00
+								            }
-												Added static client store (#899)


											
										
										
											2020-08-28 13:32:15 -04:00
+								            RedirectUris = connectorUris.Append("bwdc://sso-callback").ToList();
 								            PostLogoutRedirectUris = connectorUris.Append("bwdc://logged-out").ToList();
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								        }
-												Added static client store (#899)


											
										
										
											2020-08-28 13:32:15 -04:00
+								        else if (id == "browser")
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								        {
-												Added static client store (#899)


											
										
										
											2020-08-28 13:32:15 -04:00
+								            RedirectUris = new[] { $"{globalSettings.BaseServiceUri.Vault}/sso-connector.html" };
 								            PostLogoutRedirectUris = new[] { globalSettings.BaseServiceUri.Vault };
 								            AllowedCorsOrigins = new[] { globalSettings.BaseServiceUri.Vault };
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								        }
-												Added static client store (#899)


											
										
										
											2020-08-28 13:32:15 -04:00
+								        else if (id == "cli")
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								        {
-												Added static client store (#899)


											
										
										
											2020-08-28 13:32:15 -04:00
+								            var cliUris = new List<string>();
 								            for (var port = 8065; port <= 8070; port++)
-												Revert filescoped (#2227)

* Revert "Add git blame entry (#2226)"

This reverts commit 239286737d15cb84a893703ee5a8b33a2d67ad3d.

* Revert "Turn on file scoped namespaces (#2225)"

This reverts commit 34fb4cca2aa78deb84d4cbc359992a7c6bba7ea5.
											
										
										
											2022-08-29 15:53:48 -04:00
+								            {
-												Added static client store (#899)


											
										
										
											2020-08-28 13:32:15 -04:00
+								                cliUris.Add(string.Format("http://localhost:{0}", port));
 								            }
 								            RedirectUris = cliUris;
 								            PostLogoutRedirectUris = cliUris;
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								        }
-												Added static client store (#899)


											
										
										
											2020-08-28 13:32:15 -04:00
+								        else if (id == "mobile")
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								        {
-												Added static client store (#899)


											
										
										
											2020-08-28 13:32:15 -04:00
+								            RedirectUris = new[] { "bitwarden://sso-callback" };
 								            PostLogoutRedirectUris = new[] { "bitwarden://logged-out" };
-												Run formatting (#2230)


											
										
										
											2022-08-29 16:06:55 -04:00
+								        }
-												Added static client store (#899)


											
										
										
											2020-08-28 13:32:15 -04:00
 								        if (scopes == null)
 								        {
 								            scopes = new string[] { "api" };
 								        }
 								        AllowedScopes = scopes;
 								    }
 								}