huahaofeng
/
aspnetcore
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add MapInboundClaims top level sugar for JwtBearerOptions (#24636) 

* Add MapInboundClaims option

* Update JwtBearerOptions.cs

* Update JwtBearerTests.cs

* Update JwtBearerOptions.cs

* Update JwtBearerOptions.cs

* Update JwtBearerTests.cs

* Add MapImboundClaims to OIDC

* Update OpenIdConnectTests.cs

* Update OpenIdConnectOptions.cs

* Update OpenIdConnectOptions.cs

* Use MapInboundClaims

* Update OpenIdConnectTests.cs
This commit is contained in:
Hao Kung 2020-08-13 15:44:10 -07:00 committed by GitHub
parent 60cb3bb5c4
commit fae4a56ff6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 79 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/Security/Authentication/JwtBearer/src/JwtBearerOptions.cs
View File

@ -16,6 +16,13 @@ namespace Microsoft.AspNetCore.Authentication.JwtBearer
/// </summary>
public class JwtBearerOptions : AuthenticationSchemeOptions
{
private JwtSecurityTokenHandler _defaultHandler = new JwtSecurityTokenHandler();
public JwtBearerOptions()
{
SecurityTokenValidators = new List<ISecurityTokenValidator> { _defaultHandler };
}
/// <summary>
/// Gets or sets if HTTPS is required for the metadata address or authority.
/// The default is true. This should be disabled only in development environments.
@ -90,7 +97,7 @@ namespace Microsoft.AspNetCore.Authentication.JwtBearer
/// <summary>
/// Gets the ordered list of <see cref="ISecurityTokenValidator"/> used to validate access tokens.
/// </summary>
public IList<ISecurityTokenValidator> SecurityTokenValidators { get; } = new List<ISecurityTokenValidator> { new JwtSecurityTokenHandler() };
public IList<ISecurityTokenValidator> SecurityTokenValidators { get; private set; }
/// <summary>
/// Gets or sets the parameters used to validate identity tokens.
@ -112,6 +119,18 @@ namespace Microsoft.AspNetCore.Authentication.JwtBearer
/// </summary>
public bool IncludeErrorDetails { get; set; } = true;
/// <summary>
/// Gets or sets the <see cref="MapInboundClaims"/> property on the default instance of <see cref="JwtSecurityTokenHandler"/> in SecurityTokenValidators, which is used when determining
/// whether or not to map claim types that are extracted when validating a <see cref="JwtSecurityToken"/>.
/// <para>If this is set to true, the Claim Type is set to the JSON claim 'name' after translating using this mapping. Otherwise, no mapping occurs.</para>
/// <para>The default value is true.</para>
/// </summary>
public bool MapInboundClaims
{
get => _defaultHandler.MapInboundClaims;
set => _defaultHandler.MapInboundClaims = value;
}
/// <summary>
/// 1 day is the default time interval that afterwards, <see cref="ConfigurationManager" /> will obtain new configuration.
/// </summary>

3
src/Security/Authentication/OpenIdConnect/samples/OpenIdConnectSample/Startup.cs
View File

@ -89,8 +89,6 @@ namespace OpenIdConnectSample
public void ConfigureServices(IServiceCollection services)
{
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
services.Configure<CookiePolicyOptions>(options =>
{
options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
@ -120,6 +118,7 @@ namespace OpenIdConnectSample
o.SaveTokens = true;
o.GetClaimsFromUserInfoEndpoint = true;
o.AccessDeniedPath = "/access-denied-from-remote";
o.MapInboundClaims = false;
// o.ClaimActions.MapAllExcept("aud", "iss", "iat", "nbf", "exp", "aio", "c_hash", "uti", "nonce");

16
src/Security/Authentication/OpenIdConnect/src/OpenIdConnectOptions.cs
View File

@ -18,6 +18,7 @@ namespace Microsoft.AspNetCore.Authentication.OpenIdConnect
public class OpenIdConnectOptions : RemoteAuthenticationOptions
{
private CookieBuilder _nonceCookieBuilder;
private JwtSecurityTokenHandler _defaultHandler = new JwtSecurityTokenHandler();
/// <summary>
/// Initializes a new <see cref="OpenIdConnectOptions"/>
@ -38,6 +39,7 @@ namespace Microsoft.AspNetCore.Authentication.OpenIdConnect
CallbackPath = new PathString("/signin-oidc");
SignedOutCallbackPath = new PathString("/signout-callback-oidc");
RemoteSignOutPath = new PathString("/signout-oidc");
SecurityTokenValidator = _defaultHandler;
Events = new OpenIdConnectEvents();
Scope.Add("openid");
@ -253,7 +255,7 @@ namespace Microsoft.AspNetCore.Authentication.OpenIdConnect
/// <summary>
/// Gets or sets the <see cref="ISecurityTokenValidator"/> used to validate identity tokens.
/// </summary>
public ISecurityTokenValidator SecurityTokenValidator { get; set; } = new JwtSecurityTokenHandler();
public ISecurityTokenValidator SecurityTokenValidator { get; set; }
/// <summary>
/// Gets or sets the parameters used to validate identity tokens.
@ -337,5 +339,17 @@ namespace Microsoft.AspNetCore.Authentication.OpenIdConnect
/// The minimum time between <see cref="ConfigurationManager" /> retrievals, in the event that a retrieval failed, or that a refresh was explicitly requested. 30 seconds is the default.
/// </summary>
public TimeSpan RefreshInterval { get; set; } = ConfigurationManager<OpenIdConnectConfiguration>.DefaultRefreshInterval;
/// <summary>
/// Gets or sets the <see cref="MapInboundClaims"/> property on the default instance of <see cref="JwtSecurityTokenHandler"/> in SecurityTokenValidator, which is used when determining
/// whether or not to map claim types that are extracted when validating a <see cref="JwtSecurityToken"/>.
/// <para>If this is set to true, the Claim Type is set to the JSON claim 'name' after translating using this mapping. Otherwise, no mapping occurs.</para>
/// <para>The default value is true.</para>
/// </summary>
public bool MapInboundClaims
{
get => _defaultHandler.MapInboundClaims;
set => _defaultHandler.MapInboundClaims = value;
}
}
}

21
src/Security/Authentication/test/JwtBearerTests.cs
View File

@ -116,6 +116,27 @@ namespace Microsoft.AspNetCore.Authentication.JwtBearer
Assert.Equal(tokenText, await response.Response.Content.ReadAsStringAsync());
}
[Fact]
public void MapInboundClaimsDefaultsToTrue()
{
var options = new JwtBearerOptions();
Assert.True(options.MapInboundClaims);
var jwtHandler = options.SecurityTokenValidators.First() as JwtSecurityTokenHandler;
Assert.NotNull(jwtHandler);
Assert.True(jwtHandler.MapInboundClaims);
}
[Fact]
public void MapInboundClaimsCanBeSetToFalse()
{
var options = new JwtBearerOptions();
options.MapInboundClaims = false;
Assert.False(options.MapInboundClaims);
var jwtHandler = options.SecurityTokenValidators.First() as JwtSecurityTokenHandler;
Assert.NotNull(jwtHandler);
Assert.False(jwtHandler.MapInboundClaims);
}
[Fact]
public async Task SignInThrows()
{

22
src/Security/Authentication/test/OpenIdConnect/OpenIdConnectTests.cs
View File

@ -3,6 +3,7 @@
using System;
using System.Globalization;
using System.IdentityModel.Tokens.Jwt;
using System.Linq;
using System.Net;
using System.Security.Claims;
@ -366,6 +367,27 @@ namespace Microsoft.AspNetCore.Authentication.Test.OpenIdConnect
Assert.Contains(remoteSignOutTransaction.Response.Headers, h => h.Key == "Set-Cookie");
}
[Fact]
public void MapInboundClaimsDefaultsToTrue()
{
var options = new OpenIdConnectOptions();
Assert.True(options.MapInboundClaims);
var jwtHandler = options.SecurityTokenValidator as JwtSecurityTokenHandler;
Assert.NotNull(jwtHandler);
Assert.True(jwtHandler.MapInboundClaims);
}
[Fact]
public void MapInboundClaimsCanBeSetToFalse()
{
var options = new OpenIdConnectOptions();
options.MapInboundClaims = false;
Assert.False(options.MapInboundClaims);
var jwtHandler = options.SecurityTokenValidator as JwtSecurityTokenHandler;
Assert.NotNull(jwtHandler);
Assert.False(jwtHandler.MapInboundClaims);
}
// Test Cases for calculating the expiration time of cookie from cookie name
[Fact]
public void NonceCookieExpirationTime()