search

wwwlicious / servicestack-authentication-identityserver

A plugin for ServiceStack and IdentityServer that provides OpenIDConnect / OAuth 2.0 Single Sign-On Authentication
Other
29 stars 15 forks source link

UserAuthProvider.AuthenticateAsync should pass the no #4

Closed kevinlo closed 7 years ago

kevinlo commented 7 years ago

Hi,

Currently, the UserAuthProvider.AuthenticateClient create a new nonce and new state and pass it to the preAuthUrl. I think it should check if the nonce and state passed from the Authenticate request DTO is empty first. If it is not empty, it should be passed down to the new URL.

I am now investigating how to pass parameters back in the redirect_uri.

I find the following links stating that the redirect_uri must be exact matching without any parameter. To passing back the parameters back to the redirect_uri after logon, it should use the state parameter

https://github.com/IdentityServer/IdentityServer3/issues/1371

https://stackoverflow.com/questions/7722062/google-oauth2-redirect-uri-with-several-parameters

I use the debugger to set the state in the Authenticate DTO, but then that AuthenticateClient does not pass it down. When I use the debugger to set that state, I can see the state is passed back in the redirect_uri where I can retrieve the parameters back.

I think it can be something like this:

        // We need to get the user to login as we don't have any credentials for them
        if (isInitialRequest && !IsCallbackRequest(authService, request))
        {
            return AuthenticateClient(authService, session, tokens, request.nonce, request.State);
        }

    internal IHttpResult AuthenticateClient(IServiceBase authService, IAuthSession session, IAuthTokens authTokens, string nonce, string state)
    {
        const string preAuthUrl = "{0}?client_id={1}&scope={2}&redirect_uri={3}&response_type=code id_token&state={4}&nonce={5}&response_mode=form_post";

        if (string.IsNullOrEmpty(nonce))
        {
            nonce = Guid.NewGuid().ToString("N");
        }

        if (string.IsNullOrEmpty(state))
        {
            state = Guid.NewGuid().ToString("N");
        }

        var requestUrl = string.Format(
            preAuthUrl, 
            AuthorizeUrl, 
            AuthProviderSettings.ClientId, 
            AuthProviderSettings.Scopes,
            CallbackUrl,
            state,
            nonce);

Thanks,

stuartbfs commented 7 years ago

Incorporated suggested changes in version 4.1.47