From e5518e6fc25874920e203dfcd923868ad5de6cbb Mon Sep 17 00:00:00 2001 From: BrentSchmaltz Date: Tue, 27 Jan 2015 08:15:28 -0800 Subject: [PATCH] ChallengeContext will be null with [Authorize] attribute OpenIdConnect set Ticket.Principal, get identity from there. --- .../OpenidConnectAuthenticationHandler.cs | 24 +++++++++++++++---- .../Infrastructure/AuthenticationHandler.cs | 7 ++++-- 2 files changed, 25 insertions(+), 6 deletions(-) diff --git a/src/Microsoft.AspNet.Security.OpenIdConnect/OpenidConnectAuthenticationHandler.cs b/src/Microsoft.AspNet.Security.OpenIdConnect/OpenidConnectAuthenticationHandler.cs index 96156f6534..b237b6be97 100644 --- a/src/Microsoft.AspNet.Security.OpenIdConnect/OpenidConnectAuthenticationHandler.cs +++ b/src/Microsoft.AspNet.Security.OpenIdConnect/OpenidConnectAuthenticationHandler.cs @@ -91,6 +91,7 @@ namespace Microsoft.AspNet.Security.OpenIdConnect { ProtocolMessage = openIdConnectMessage }; + await Options.Notifications.RedirectToIdentityProvider(notification); if (!notification.HandledResponse) @@ -100,6 +101,7 @@ namespace Microsoft.AspNet.Security.OpenIdConnect { _logger.WriteWarning("The logout redirect URI is malformed: " + redirectUri); } + Response.Redirect(redirectUri); } } @@ -116,7 +118,13 @@ namespace Microsoft.AspNet.Security.OpenIdConnect /// protected override async Task ApplyResponseChallengeAsync() { - if ((Response.StatusCode != 401) || (ChallengeContext == null)) + if (Response.StatusCode != 401) + { + return; + } + + // Active middleware should redirect on 401 even if there wasn't an explicit challenge. + if (ChallengeContext == null && Options.AuthenticationMode == AuthenticationMode.Passive) { return; } @@ -124,7 +132,16 @@ namespace Microsoft.AspNet.Security.OpenIdConnect // order for redirect_uri // 1. challenge.Properties.RedirectUri // 2. CurrentUri - AuthenticationProperties properties = new AuthenticationProperties(ChallengeContext.Properties); + AuthenticationProperties properties; + if (ChallengeContext == null) + { + properties = new AuthenticationProperties(); + } + else + { + properties = new AuthenticationProperties(ChallengeContext.Properties); + } + if (string.IsNullOrEmpty(properties.RedirectUri)) { properties.RedirectUri = CurrentUri; @@ -154,7 +171,6 @@ namespace Microsoft.AspNet.Security.OpenIdConnect State = OpenIdConnectAuthenticationDefaults.AuthenticationPropertiesKey + "=" + Uri.EscapeDataString(Options.StateDataFormat.Protect(properties)) }; - // TODO - brentschmaltz, if INonceCache is set should we even consider if ProtocolValidator is set? if (Options.ProtocolValidator.RequireNonce) { openIdConnectMessage.Nonce = Options.ProtocolValidator.GenerateNonce(); @@ -179,7 +195,7 @@ namespace Microsoft.AspNet.Security.OpenIdConnect string redirectUri = notification.ProtocolMessage.CreateAuthenticationRequestUrl(); if (!Uri.IsWellFormedUriString(redirectUri, UriKind.Absolute)) { - _logger.WriteWarning("The authenticate redirect URI is malformed: " + redirectUri); + _logger.WriteWarning("Uri.IsWellFormedUriString(redirectUri, UriKind.Absolute) returned 'false', redirectUri is: " + (redirectUri ?? "null")); } Response.Redirect(redirectUri); diff --git a/src/Microsoft.AspNet.Security/Infrastructure/AuthenticationHandler.cs b/src/Microsoft.AspNet.Security/Infrastructure/AuthenticationHandler.cs index d7a0db8fcd..fc847f4fa9 100644 --- a/src/Microsoft.AspNet.Security/Infrastructure/AuthenticationHandler.cs +++ b/src/Microsoft.AspNet.Security/Infrastructure/AuthenticationHandler.cs @@ -77,9 +77,12 @@ namespace Microsoft.AspNet.Security.Infrastructure if (BaseOptions.AuthenticationMode == AuthenticationMode.Active) { AuthenticationTicket ticket = await AuthenticateAsync(); - if (ticket != null && ticket.Identity != null) + if (ticket != null) { - SecurityHelper.AddUserIdentity(Context, ticket.Identity); + if ( ticket.Identity != null) + SecurityHelper.AddUserIdentity(Context, ticket.Identity); + else if (ticket.Principal != null) + SecurityHelper.AddUserIdentity(Context, ticket.Principal.Identity); } } }