huahaofeng
/
aspnetcore
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Replace INonceCache by IDistributedCache

This commit is contained in:
Kévin Chalet 2015-06-22 17:32:08 +02:00
parent 6ae37717e8
commit 102f113e2b
8 changed files with 49 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationHandler.cs
View File

@ -12,6 +12,7 @@ using Microsoft.AspNet.Authentication.Notifications;
using Microsoft.AspNet.Http;
using Microsoft.AspNet.Http.Authentication;
using Microsoft.AspNet.Http.Features.Authentication;
using Microsoft.Framework.Caching.Distributed;
using Microsoft.Framework.Internal;
using Microsoft.Framework.Logging;
using Microsoft.IdentityModel.Protocols;
@ -149,13 +150,18 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
if (Options.ProtocolValidator.RequireNonce)
{
message.Nonce = Options.ProtocolValidator.GenerateNonce();
if (Options.NonceCache != null)
if (Options.CacheNonces)
{
if (!Options.NonceCache.TryAddNonce(message.Nonce))
if (await Options.NonceCache.GetAsync(message.Nonce) != null)
{
Logger.LogError(Resources.OIDCH_0033_TryAddNonceFailed, message.Nonce);
throw new OpenIdConnectProtocolException(string.Format(CultureInfo.InvariantCulture, Resources.OIDCH_0033_TryAddNonceFailed, message.Nonce));
Logger.LogError(Resources.OIDCH_0033_NonceAlreadyExists, message.Nonce);
throw new OpenIdConnectProtocolException(string.Format(CultureInfo.InvariantCulture, Resources.OIDCH_0033_NonceAlreadyExists, message.Nonce));
}
await Options.NonceCache.SetAsync(message.Nonce, new byte[0], new DistributedCacheEntryOptions
{
AbsoluteExpirationRelativeToNow = Options.ProtocolValidator.NonceLifetime
});
}
else
{
@ -389,11 +395,16 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
}
string nonce = jwt.Payload.Nonce;
if (Options.NonceCache != null)
if (Options.CacheNonces)
{
// if the nonce cannot be removed, it was used
if (!Options.NonceCache.TryRemoveNonce(nonce))
if (await Options.NonceCache.GetAsync(nonce) != null)
{
await Options.NonceCache.RemoveAsync(nonce);
}
else
{
// If the nonce cannot be removed, it was
// already used and MUST be rejected.
nonce = null;
}
}

14
src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationMiddleware.cs
View File

@ -13,11 +13,13 @@ using Microsoft.AspNet.Authentication.DataHandler.Serializer;
using Microsoft.AspNet.Builder;
using Microsoft.AspNet.DataProtection;
using Microsoft.AspNet.Http;
using Microsoft.Framework.Caching.Distributed;
using Microsoft.Framework.DependencyInjection;
using Microsoft.Framework.Internal;
using Microsoft.Framework.Logging;
using Microsoft.Framework.OptionsModel;
using Microsoft.IdentityModel.Protocols;
using Microsoft.Framework.Internal;
using Microsoft.Framework.WebEncoders;
using Microsoft.IdentityModel.Protocols;
namespace Microsoft.AspNet.Authentication.OpenIdConnect
{
@ -42,6 +44,7 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
[NotNull] IDataProtectionProvider dataProtectionProvider,
[NotNull] ILoggerFactory loggerFactory,
[NotNull] IUrlEncoder encoder,
[NotNull] IServiceProvider services,
[NotNull] IOptions<ExternalAuthenticationOptions> externalOptions,
[NotNull] IOptions<OpenIdConnectAuthenticationOptions> options,
ConfigureOptions<OpenIdConnectAuthenticationOptions> configureOptions = null)
@ -125,6 +128,13 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
Options.ConfigurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(Options.MetadataAddress, httpClient);
}
}
if (Options.CacheNonces && Options.NonceCache == null)
{
// Use the global distributed cache if the user has not provided his own instance.
// Note: GetRequiredService will throw an exception if caching services have not been registered.
Options.NonceCache = services.GetRequiredService<IDistributedCache>();
}
}
/// <summary>

9
src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectAuthenticationOptions.cs
View File

@ -8,6 +8,7 @@ using System.IdentityModel.Tokens;
using System.Net.Http;
using Microsoft.AspNet.Http;
using Microsoft.AspNet.Http.Authentication;
using Microsoft.Framework.Caching.Distributed;
using Microsoft.Framework.Internal;
using Microsoft.IdentityModel.Protocols;
@ -173,7 +174,13 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
/// recommends adding a nonce to a request as a mitigation against replay attacks when requesting id_tokens.
/// By default the runtime uses cookies with unique names generated from a hash of the nonce.
/// </summary>
public INonceCache NonceCache { get; set; }
public IDistributedCache NonceCache { get; set; }
/// <summary>
/// Gets or sets the value indicating whether nonces should be stored in the distributed cache or not.
/// The default value, <c>false</c>, is used to store nonces in client cookies.
/// </summary>
public bool CacheNonces { get; set; }
/// <summary>
/// Gets or sets the <see cref="OpenIdConnectAuthenticationNotifications"/> to notify when processing OpenIdConnect messages.

6
src/Microsoft.AspNet.Authentication.OpenIdConnect/Resources.Designer.cs generated
View File

@ -141,11 +141,11 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
}
/// <summary>
/// OIDCH_0033: ProtocolValidator.RequireNonce == true. Options.NonceCache.TryAddNonce returned false. This usually indicates the nonce is not unique or has been used. The nonce is: '{0}'.
/// OIDCH_0033: ProtocolValidator.RequireNonce == true. The generated nonce already exists: this usually indicates the nonce is not unique or has been used. The nonce is: '{0}'.
/// </summary>
internal static string OIDCH_0033_TryAddNonceFailed
internal static string OIDCH_0033_NonceAlreadyExists
{
get { return ResourceManager.GetString("OIDCH_0033_TryAddNonceFailed"); }
get { return ResourceManager.GetString("OIDCH_0033_NonceAlreadyExists"); }
}
/// <summary>

6
src/Microsoft.AspNet.Authentication.OpenIdConnect/Resources.resx
View File

@ -147,8 +147,8 @@
<data name="OIDCH_0032_UsingCurrentUriRedirectUri" xml:space="preserve">
<value>OIDCH_0032: using the CurrentUri for 'local redirect' post authentication: '{0}'.</value>
</data>
<data name="OIDCH_0033_TryAddNonceFailed" xml:space="preserve">
<value>OIDCH_0033: ProtocolValidator.RequireNonce == true. Options.NonceCache.TryAddNonce returned false. This usually indicates the nonce is not unique or has been used. The nonce is: '{0}'.</value>
<data name="OIDCH_0033_NonceAlreadyExists" xml:space="preserve">
<value>OIDCH_0033: ProtocolValidator.RequireNonce == true. The generated nonce already exists: this usually indicates the nonce is not unique or has been used. The nonce is: '{0}'.</value>
</data>
<data name="OIDCH_0034_RedirectToIdentityProviderNotificationHandledResponse" xml:space="preserve">
<value>OIDCH_0034: redirectToIdentityProviderNotification.HandledResponse</value>
@ -222,4 +222,4 @@
<data name="OIDCH_0020_IdTokenReceived" xml:space="preserve">
<value>OIDCH_0020: 'id_token' received: '{0}'</value>
</data>
</root>
</root>

1
src/Microsoft.AspNet.Authentication.OpenIdConnect/project.json
View File

@ -3,6 +3,7 @@
"description": "ASP.NET 5 middleware that enables an application to support OpenIdConnect authentication workflow.",
"dependencies": {
"Microsoft.AspNet.Authentication": "1.0.0-*",
"Microsoft.Framework.Caching.Abstractions": "1.0.0-*",
"Microsoft.Framework.NotNullAttribute.Sources": { "type": "build", "version": "1.0.0-*" },
"Microsoft.IdentityModel.Protocol.Extensions": "2.0.0-beta5-*"
},

1
src/Microsoft.AspNet.Authentication/AuthenticationServiceCollectionExtensions.cs
View File

@ -32,6 +32,5 @@ namespace Microsoft.Framework.DependencyInjection
{
return services.Configure<ClaimsTransformationOptions>(o => o.Transformer = new ClaimsTransformer { TransformAsyncDelegate = asyncTransform });
}
}
}

5
test/Microsoft.AspNet.Authentication.Test/OpenIdConnect/OpenIdConnectHandlerTests.cs
View File

@ -437,6 +437,7 @@ namespace Microsoft.AspNet.Authentication.Tests.OpenIdConnect
},
services =>
{
services.AddAuthentication();
services.AddWebEncoders();
services.AddDataProtection();
}
@ -456,6 +457,7 @@ namespace Microsoft.AspNet.Authentication.Tests.OpenIdConnect
},
services =>
{
services.AddAuthentication();
services.AddWebEncoders();
services.AddDataProtection();
}
@ -571,11 +573,12 @@ namespace Microsoft.AspNet.Authentication.Tests.OpenIdConnect
IDataProtectionProvider dataProtectionProvider,
ILoggerFactory loggerFactory,
IUrlEncoder encoder,
IServiceProvider services,
IOptions<ExternalAuthenticationOptions> externalOptions,
IOptions<OpenIdConnectAuthenticationOptions> options,
ConfigureOptions<OpenIdConnectAuthenticationOptions> configureOptions = null
)
: base(next, dataProtectionProvider, loggerFactory, encoder, externalOptions, options, configureOptions)
: base(next, dataProtectionProvider, loggerFactory, encoder, services, externalOptions, options, configureOptions)
{
Logger = (loggerFactory as CustomLoggerFactory).Logger;
}