Checking this in so i can obliterate a secret

dgmjr-io · Jan 25, 2024 · 48febe8 · 48febe8
1 parent 12e0bbb
commit 48febe8
Show file tree

Hide file tree

Showing 30 changed files with 1,971 additions and 148 deletions.
diff --git a/.frontmatter/database/taxonomyDb.json b/.frontmatter/database/taxonomyDb.json
@@ -0,0 +1 @@
+{}
diff --git a/frontmatter.json b/frontmatter.json
@@ -0,0 +1,3 @@
+{
+  "$schema": "https://beta.frontmatter.codes/frontmatter.schema.json"
+}
diff --git a/src/OpenIdConnect.Server/Configuration/Logging.json b/src/OpenIdConnect.Server/Configuration/Logging.json
@@ -1,6 +1,6 @@
 {
-    "LogLevel": {
-        "Default": "Debug",
-        "Microsoft.AspNetCore": "Debug"
-    }
+  "LogLevel": {
+    "Default": "Trace",
+    "Microsoft.AspNetCore": "Trace"
+  }
 }
diff --git a/src/OpenIdConnect.Server/Configuration/TelegramOpenIdConnectServer.json b/src/OpenIdConnect.Server/Configuration/TelegramOpenIdConnectServer.json
@@ -32,15 +32,20 @@
         }
       ],
       "ClientUri": "https://jsonschema.xyz",
-      "GrantType": [
-        "authorization_code",
-        "refresh_token"
+      "AllowedGrantTypes": [
+        // "authorization_code",
+        // "refresh_token",
+        "implicit"
       ],
       "IsActive": true,
       "RedirectUris": [
+        "https://jsonschema.b2clogin.com/jsonschema.onmicrosoft.com/oauth2/authresp",
+        "https://jsonschema.b2clogin.com/jsonschema.xyz/oauth2/authresp",
         "https://jsonschema.xyz/signin-oidc",
-        "https://valid-seahorse-separately.ngrok-free.app/signin-oidc",
-        "https://localhost:7003/signin-oidc"
+        "https://localhost:7003/signin-oidc",
+        "https://login.jsonschema.xyz/jsonschema.onmicrosoft.com/oauth2/authresp",
+        "https://login.jsonschema.xyz/jsonschema.xyz/oauth2/authresp",
+        "https://valid-seahorse-separately.ngrok-free.app/signin-oidc"
       ]
     }
   ]

diff --git a/src/OpenIdConnect.Server/Constants/IdentityServer4Constants.cs b/src/OpenIdConnect.Server/Constants/IdentityServer4Constants.cs
@@ -0,0 +1,311 @@
+namespace Telegram.OpenIdConnect;
+
+using Duende.IdentityServer;
+using Duende.IdentityServer.Models;
+
+using IdentityModel;
+
+internal static class IdentityServer4Constants
+{
+    public const string IdentityServerName = "IdentityServer4";
+    public const string IdentityServerAuthenticationType = IdentityServerName;
+    public const string ExternalAuthenticationMethod = "external";
+    public const string AccessTokenAudience = "{0}resources";
+    public const string DefaultHashAlgorithm = "SHA256";
+
+    public static readonly TimeSpan DefaultCookieTimeSpan = TimeSpan.FromHours(10);
+    public static readonly TimeSpan DefaultCacheDuration = TimeSpan.FromMinutes(5);
+
+    public static readonly List<string> SupportedResponseTypes =
+        new()
+        {
+            OidcConstants.ResponseTypes.Code,
+            OidcConstants.ResponseTypes.Token,
+            OidcConstants.ResponseTypes.IdToken,
+            OidcConstants.ResponseTypes.IdTokenToken,
+            OidcConstants.ResponseTypes.CodeIdToken,
+            OidcConstants.ResponseTypes.CodeToken,
+            OidcConstants.ResponseTypes.CodeIdTokenToken
+        };
+
+    public static readonly Dictionary<string, string> ResponseTypeToGrantTypeMapping =
+        new()
+        {
+            { OidcConstants.ResponseTypes.Code, GrantType.AuthorizationCode },
+            { OidcConstants.ResponseTypes.Token, GrantType.Implicit },
+            { OidcConstants.ResponseTypes.IdToken, GrantType.Implicit },
+            { OidcConstants.ResponseTypes.IdTokenToken, GrantType.Implicit },
+            { OidcConstants.ResponseTypes.CodeIdToken, GrantType.Hybrid },
+            { OidcConstants.ResponseTypes.CodeToken, GrantType.Hybrid },
+            { OidcConstants.ResponseTypes.CodeIdTokenToken, GrantType.Hybrid }
+        };
+
+    public static readonly List<string> AllowedGrantTypesForAuthorizeEndpoint =
+        new() { GrantType.AuthorizationCode, GrantType.Implicit, GrantType.Hybrid };
+
+    public static readonly List<string> SupportedCodeChallengeMethods = new List<string>
+    {
+        OidcConstants.CodeChallengeMethods.Plain,
+        OidcConstants.CodeChallengeMethods.Sha256
+    };
+
+    public enum ScopeRequirement
+    {
+        None,
+        ResourceOnly,
+        IdentityOnly,
+        Identity
+    }
+
+    public static readonly Dictionary<string, ScopeRequirement> ResponseTypeToScopeRequirement =
+        new()
+        {
+            { OidcConstants.ResponseTypes.Code, ScopeRequirement.None },
+            { OidcConstants.ResponseTypes.Token, ScopeRequirement.ResourceOnly },
+            { OidcConstants.ResponseTypes.IdToken, ScopeRequirement.IdentityOnly },
+            { OidcConstants.ResponseTypes.IdTokenToken, ScopeRequirement.Identity },
+            { OidcConstants.ResponseTypes.CodeIdToken, ScopeRequirement.Identity },
+            { OidcConstants.ResponseTypes.CodeToken, ScopeRequirement.Identity },
+            { OidcConstants.ResponseTypes.CodeIdTokenToken, ScopeRequirement.Identity }
+        };
+
+    public static readonly Dictionary<
+        string,
+        IEnumerable<string>
+    > AllowedResponseModesForGrantType = new Dictionary<string, IEnumerable<string>>
+    {
+        {
+            GrantType.AuthorizationCode,
+            new[] { OidcConstants.ResponseModes.Query, OidcConstants.ResponseModes.FormPost }
+        },
+        {
+            GrantType.Hybrid,
+            new[] { OidcConstants.ResponseModes.Fragment, OidcConstants.ResponseModes.FormPost }
+        },
+        {
+            GrantType.Implicit,
+            new[] { OidcConstants.ResponseModes.Fragment, OidcConstants.ResponseModes.FormPost }
+        }
+    };
+
+    public static readonly List<string> SupportedResponseModes =
+        new()
+        {
+            OidcConstants.ResponseModes.FormPost,
+            OidcConstants.ResponseModes.Query,
+            OidcConstants.ResponseModes.Fragment
+        };
+
+    public static string[] SupportedSubjectTypes = { "pairwise", "public" };
+
+    public static class SigningAlgorithms
+    {
+        public const string RSA_SHA_256 = "RS256";
+    }
+
+    public static readonly List<string> SupportedDisplayModes =
+        new()
+        {
+            OidcConstants.DisplayModes.Page,
+            OidcConstants.DisplayModes.Popup,
+            OidcConstants.DisplayModes.Touch,
+            OidcConstants.DisplayModes.Wap
+        };
+
+    public static readonly List<string> SupportedPromptModes =
+        new()
+        {
+            OidcConstants.PromptModes.None,
+            OidcConstants.PromptModes.Login,
+            OidcConstants.PromptModes.Consent,
+            OidcConstants.PromptModes.SelectAccount
+        };
+
+    public static class KnownAcrValues
+    {
+        public const string HomeRealm = "idp:";
+        public const string Tenant = "tenant:";
+
+        public static readonly string[] All = { HomeRealm, Tenant };
+    }
+
+    public static Dictionary<string, int> ProtectedResourceErrorStatusCodes =
+        new()
+        {
+            { OidcConstants.ProtectedResourceErrors.InvalidToken, 401 },
+            { OidcConstants.ProtectedResourceErrors.ExpiredToken, 401 },
+            { OidcConstants.ProtectedResourceErrors.InvalidRequest, 400 },
+            { OidcConstants.ProtectedResourceErrors.InsufficientScope, 403 }
+        };
+
+    public static readonly Dictionary<string, IEnumerable<string>> ScopeToClaimsMapping =
+        new()
+        {
+            {
+                IdentityServerConstants.StandardScopes.Profile,
+                new[]
+                {
+                    JwtClaimTypes.Name,
+                    JwtClaimTypes.FamilyName,
+                    JwtClaimTypes.GivenName,
+                    JwtClaimTypes.MiddleName,
+                    JwtClaimTypes.NickName,
+                    JwtClaimTypes.PreferredUserName,
+                    JwtClaimTypes.Profile,
+                    JwtClaimTypes.Picture,
+                    JwtClaimTypes.WebSite,
+                    JwtClaimTypes.Gender,
+                    JwtClaimTypes.BirthDate,
+                    JwtClaimTypes.ZoneInfo,
+                    JwtClaimTypes.Locale,
+                    JwtClaimTypes.UpdatedAt
+                }
+            },
+            {
+                IdentityServerConstants.StandardScopes.Email,
+                new[] { JwtClaimTypes.Email, JwtClaimTypes.EmailVerified }
+            },
+            { IdentityServerConstants.StandardScopes.Address, new[] { JwtClaimTypes.Address } },
+            {
+                IdentityServerConstants.StandardScopes.Phone,
+                new[] { JwtClaimTypes.PhoneNumber, JwtClaimTypes.PhoneNumberVerified }
+            },
+            { IdentityServerConstants.StandardScopes.OpenId, new[] { JwtClaimTypes.Subject } }
+        };
+
+    public static class UIConstants
+    {
+        // the limit after which old messages are purged
+        public const int CookieMessageThreshold = 2;
+
+        public static class DefaultRoutePathParams
+        {
+            public const string Error = "errorId";
+            public const string Login = "returnUrl";
+            public const string Consent = "returnUrl";
+            public const string Logout = "logoutId";
+            public const string EndSessionCallback = "endSessionId";
+            public const string Custom = "returnUrl";
+        }
+
+        public static class DefaultRoutePaths
+        {
+            public const string Login = "/account/login";
+            public const string Logout = "/account/logout";
+            public const string Consent = "/consent";
+            public const string Error = "/home/error";
+        }
+    }
+
+    public static class EndpointNames
+    {
+        public const string Authorize = "Authorize";
+        public const string Token = "Token";
+        public const string Discovery = "Discovery";
+        public const string Introspection = "Introspection";
+        public const string Revocation = "Revocation";
+        public const string EndSession = "Endsession";
+        public const string CheckSession = "Checksession";
+        public const string UserInfo = "Userinfo";
+    }
+
+    public static class ProtocolRoutePaths
+    {
+        public const string Authorize = "connect/authorize";
+        public const string AuthorizeCallback = Authorize + "/callback";
+        public const string DiscoveryConfiguration = ".well-known/openid-configuration";
+        public const string DiscoveryWebKeys = DiscoveryConfiguration + "/jwks";
+        public const string Token = "connect/token";
+        public const string Revocation = "connect/revocation";
+        public const string UserInfo = "connect/userinfo";
+        public const string Introspection = "connect/introspect";
+        public const string EndSession = "connect/endsession";
+        public const string EndSessionCallback = EndSession + "/callback";
+        public const string CheckSession = "connect/checksession";
+
+        public static readonly string[] CorsPaths =
+        {
+            DiscoveryConfiguration,
+            DiscoveryWebKeys,
+            Token,
+            UserInfo,
+            Revocation
+        };
+    }
+
+    public static class EnvironmentKeys
+    {
+        public const string IdentityServerBasePath = "idsvr:IdentityServerBasePath";
+
+        [Obsolete("The IdentityServerOrigin constant is obsolete.")]
+        public const string IdentityServerOrigin = "idsvr:IdentityServerOrigin"; // todo: deprecate
+        public const string SignOutCalled = "idsvr:IdentityServerSignOutCalled";
+    }
+
+    public static class TokenTypeHints
+    {
+        public const string RefreshToken = "refresh_token";
+        public const string AccessToken = "access_token";
+    }
+
+    public static List<string> SupportedTokenTypeHints =
+        new() { TokenTypeHints.RefreshToken, TokenTypeHints.AccessToken };
+
+    public static class RevocationErrors
+    {
+        public const string UnsupportedTokenType = "unsupported_token_type";
+    }
+
+    public static class Filters
+    {
+        // filter for claims from an incoming access token (e.g. used at the user profile endpoint)
+        public static readonly string[] ProtocolClaimsFilter =
+        {
+            JwtClaimTypes.AccessTokenHash,
+            JwtClaimTypes.Audience,
+            JwtClaimTypes.AuthorizedParty,
+            JwtClaimTypes.AuthorizationCodeHash,
+            JwtClaimTypes.ClientId,
+            JwtClaimTypes.Expiration,
+            JwtClaimTypes.IssuedAt,
+            JwtClaimTypes.Issuer,
+            JwtClaimTypes.JwtId,
+            JwtClaimTypes.Nonce,
+            JwtClaimTypes.NotBefore,
+            JwtClaimTypes.ReferenceTokenId,
+            JwtClaimTypes.SessionId,
+            JwtClaimTypes.Scope
+        };
+
+        // filter list for claims returned from profile service prior to creating tokens
+        public static readonly string[] ClaimsServiceFilterClaimTypes =
+        {
+            // TODO: consider JwtClaimTypes.AuthenticationContextClassReference,
+            JwtClaimTypes.AccessTokenHash,
+            JwtClaimTypes.Audience,
+            JwtClaimTypes.AuthenticationMethod,
+            JwtClaimTypes.AuthenticationTime,
+            JwtClaimTypes.AuthorizedParty,
+            JwtClaimTypes.AuthorizationCodeHash,
+            JwtClaimTypes.ClientId,
+            JwtClaimTypes.Expiration,
+            JwtClaimTypes.IdentityProvider,
+            JwtClaimTypes.IssuedAt,
+            JwtClaimTypes.Issuer,
+            JwtClaimTypes.JwtId,
+            JwtClaimTypes.Nonce,
+            JwtClaimTypes.NotBefore,
+            JwtClaimTypes.ReferenceTokenId,
+            JwtClaimTypes.SessionId,
+            JwtClaimTypes.Subject,
+            JwtClaimTypes.Scope,
+            JwtClaimTypes.Confirmation
+        };
+    }
+
+    public static class WsFedSignOut
+    {
+        public const string LogoutUriParameterName = "wa";
+        public const string LogoutUriParameterValue = "wsignoutcleanup1.0";
+    }
+}