From 57a64298c05044802ae2db3e93bae270840ba149 Mon Sep 17 00:00:00 2001
From: Chris R <Tratcher@outlook.com>
Date: Tue, 29 Sep 2015 16:33:48 -0700
Subject: [PATCH] #485 OIDC RequireHttpsMetadata

---
 .../JwtBearerMiddleware.cs                                | 8 +++++++-
 .../JwtBearerOptions.cs                                   | 6 ++++++
 .../OpenIdConnectMiddleware.cs                            | 8 +++++++-
 .../OpenIdConnectOptions.cs                               | 6 ++++++
 4 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/src/Microsoft.AspNet.Authentication.JwtBearer/JwtBearerMiddleware.cs b/src/Microsoft.AspNet.Authentication.JwtBearer/JwtBearerMiddleware.cs
index 2a97054797..54d225c3e3 100644
--- a/src/Microsoft.AspNet.Authentication.JwtBearer/JwtBearerMiddleware.cs
+++ b/src/Microsoft.AspNet.Authentication.JwtBearer/JwtBearerMiddleware.cs
@@ -79,11 +79,17 @@ namespace Microsoft.AspNet.Authentication.JwtBearer
                         Options.MetadataAddress += ".well-known/openid-configuration";
                     }
 
+                    if (Options.RequireHttpsMetadata && !Options.MetadataAddress.StartsWith("https://", StringComparison.OrdinalIgnoreCase))
+                    {
+                        throw new InvalidOperationException("The MetadataAddress or Authority must use HTTPS unless disabled for development by setting RequireHttpsMetadata=false.");
+                    }
+
                     var httpClient = new HttpClient(Options.BackchannelHttpHandler ?? new HttpClientHandler());
                     httpClient.Timeout = Options.BackchannelTimeout;
                     httpClient.MaxResponseContentBufferSize = 1024 * 1024 * 10; // 10 MB
 
-                    Options.ConfigurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(Options.MetadataAddress, new OpenIdConnectConfigurationRetriever(), httpClient);
+                    Options.ConfigurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(Options.MetadataAddress, new OpenIdConnectConfigurationRetriever(),
+                        new HttpDocumentRetriever(httpClient) { RequireHttps = Options.RequireHttpsMetadata });
                 }
             }
         }
diff --git a/src/Microsoft.AspNet.Authentication.JwtBearer/JwtBearerOptions.cs b/src/Microsoft.AspNet.Authentication.JwtBearer/JwtBearerOptions.cs
index bd1f9ded6e..1ab2a8b131 100644
--- a/src/Microsoft.AspNet.Authentication.JwtBearer/JwtBearerOptions.cs
+++ b/src/Microsoft.AspNet.Authentication.JwtBearer/JwtBearerOptions.cs
@@ -25,6 +25,12 @@ namespace Microsoft.AspNet.Authentication.JwtBearer
             AuthenticationScheme = JwtBearerDefaults.AuthenticationScheme;
         }
 
+        /// <summary>
+        /// Gets or sets if HTTPS is required for the metadata address or authority.
+        /// The default is true. This should be disabled only in development environments.
+        /// </summary>
+        public bool RequireHttpsMetadata { get; set; } = true;
+
         /// <summary>
         /// Gets or sets the discovery endpoint for obtaining metadata
         /// </summary>
diff --git a/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectMiddleware.cs b/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectMiddleware.cs
index c332befc93..691c861949 100644
--- a/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectMiddleware.cs
+++ b/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectMiddleware.cs
@@ -156,7 +156,13 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
                         Options.MetadataAddress += ".well-known/openid-configuration";
                     }
 
-                    Options.ConfigurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(Options.MetadataAddress, new OpenIdConnectConfigurationRetriever(), Backchannel);
+                    if (Options.RequireHttpsMetadata && !Options.MetadataAddress.StartsWith("https://", StringComparison.OrdinalIgnoreCase))
+                    {
+                        throw new InvalidOperationException("The MetadataAddress or Authority must use HTTPS unless disabled for development by setting RequireHttpsMetadata=false.");
+                    }
+
+                    Options.ConfigurationManager = new ConfigurationManager<OpenIdConnectConfiguration>(Options.MetadataAddress, new OpenIdConnectConfigurationRetriever(),
+                        new HttpDocumentRetriever(Backchannel) { RequireHttps = Options.RequireHttpsMetadata });
                 }
             }
         }
diff --git a/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectOptions.cs b/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectOptions.cs
index ca66eef02d..a139f96515 100644
--- a/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectOptions.cs
+++ b/src/Microsoft.AspNet.Authentication.OpenIdConnect/OpenIdConnectOptions.cs
@@ -92,6 +92,12 @@ namespace Microsoft.AspNet.Authentication.OpenIdConnect
         /// </summary>
         public bool GetClaimsFromUserInfoEndpoint { get; set; }
 
+        /// <summary>
+        /// Gets or sets if HTTPS is required for the metadata address or authority.
+        /// The default is true. This should be disabled only in development environments.
+        /// </summary>
+        public bool RequireHttpsMetadata { get; set; } = true;
+
         /// <summary>
         /// Gets or sets the discovery endpoint for obtaining metadata
         /// </summary>