huahaofeng
/
aspnetcore
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

#485 OIDC RequireHttpsMetadata

This commit is contained in:
Chris R 2015-09-29 16:33:48 -07:00
parent 9c9cf3d314
commit 57a64298c0
4 changed files with 26 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/Microsoft.AspNet.Authentication.JwtBearer/JwtBearerMiddleware.cs
View File

@ -79,11 +79,17 @@ namespace Microsoft.AspNet.Authentication.JwtBearer
Options.MetadataAddress += ".well-known/openid-configuration";
}
if (Options.RequireHttpsMetadata && !Options.MetadataAddress.StartsWith("https://", StringComparison.OrdinalIgnoreCase))
{
throw new InvalidOperationException("The MetadataAddress or Authority must use HTTPS unless disabled for development by setting RequireHttpsMetadata=false.");
}
var httpClient = new HttpClient(Options.BackchannelHttpHandler ?? new HttpClientHandler());
httpClient.Timeout = Options.BackchannelTimeout;
httpClient.MaxResponseContentBufferSize = 1024 * 1024 * 10; // 10 MB
Options.ConfigurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(Options.MetadataAddress, new OpenIdConnectConfigurationRetriever(), httpClient);
Options.ConfigurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(Options.MetadataAddress, new OpenIdConnectConfigurationRetriever(),
new HttpDocumentRetriever(httpClient) { RequireHttps = Options.RequireHttpsMetadata });
}
}
}

6
src/Microsoft.AspNet.Authentication.JwtBearer/JwtBearerOptions.cs
View File

@ -25,6 +25,12 @@ namespace Microsoft.AspNet.Authentication.JwtBearer
AuthenticationScheme = JwtBearerDefaults.AuthenticationScheme;
}
/// <summary>
/// Gets or sets if HTTPS is required for the metadata address or authority.
/// The default is true. This should be disabled only in development environments.
/// </summary>
public bool RequireHttpsMetadata { get; set; } = true;
/// <summary>
/// Gets or sets the discovery endpoint for obtaining metadata
/// </summary>

8
src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectMiddleware.cs
View File

@ -156,7 +156,13 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
Options.MetadataAddress += ".well-known/openid-configuration";
}
Options.ConfigurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(Options.MetadataAddress, new OpenIdConnectConfigurationRetriever(), Backchannel);
if (Options.RequireHttpsMetadata && !Options.MetadataAddress.StartsWith("https://", StringComparison.OrdinalIgnoreCase))
{
throw new InvalidOperationException("The MetadataAddress or Authority must use HTTPS unless disabled for development by setting RequireHttpsMetadata=false.");
}
Options.ConfigurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(Options.MetadataAddress, new OpenIdConnectConfigurationRetriever(),
new HttpDocumentRetriever(Backchannel) { RequireHttps = Options.RequireHttpsMetadata });
}
}
}

6
src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectOptions.cs
View File

@ -92,6 +92,12 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
/// </summary>
public bool GetClaimsFromUserInfoEndpoint { get; set; }
/// <summary>
/// Gets or sets if HTTPS is required for the metadata address or authority.
/// The default is true. This should be disabled only in development environments.
/// </summary>
public bool RequireHttpsMetadata { get; set; } = true;
/// <summary>
/// Gets or sets the discovery endpoint for obtaining metadata
/// </summary>