Skip to content
This repository has been archived by the owner on Dec 13, 2022. It is now read-only.

Commit

Permalink
Update to v4 (#7)
Browse files Browse the repository at this point in the history 
* update libs

* update UI

* config updates

* UI updates

* cleanup

* add deploy condition
  • Loading branch information
@leastprivilege
leastprivilege committed Jun 19, 2020
1 parent 5db239b commit ab6c5b8
Show file tree
Hide file tree
Showing 187 changed files with 50,197 additions and 15,090 deletions.
3 changes: 2 additions & 1 deletion azure-pipelines.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,4 +18,5 @@ steps:
azureSubscription: 'leastprivilege(b4f1893e-53e4-474d-aee5-7c0db5668eee)'
appType: 'webApp'
WebAppName: 'identityserver4demo'
packageForLinux: '$(System.DefaultWorkingDirectory)/publish'
packageForLinux: '$(System.DefaultWorkingDirectory)/publish'
condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/master'))
2 changes: 1 addition & 1 deletion global.json
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"sdk": {
"version": "3.1.100",
"version": "3.1.300",
"rollForward": "latestPatch"
}
}
277 changes: 52 additions & 225 deletions src/IdentityServer4Demo/Config.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -15,33 +15,62 @@ public static IEnumerable<IdentityResource> GetIdentityResources()
};
}

public static IEnumerable<ApiScope> GetApiScopes()
{
return new List<ApiScope>
{
// backward compat
new ApiScope("api"),

// more formal
new ApiScope("api.scope1"),
new ApiScope("api.scope2"),

// scope without a resource
new ApiScope("scope2"),

// policyserver
new ApiScope("policyserver.runtime"),
new ApiScope("policyserver.management")
};
}

public static IEnumerable<ApiResource> GetApis()
{
return new List<ApiResource>
{
new ApiResource("api", "Demo API")
{
ApiSecrets = { new Secret("secret".Sha256()) }
ApiSecrets = { new Secret("secret".Sha256()) },

Scopes = { "api", "api.scope1", "api.scope2" }
},

// PolicyServer demo
new ApiResource("policyserver.runtime"),
// PolicyServer demo (audience should match scope)
new ApiResource("policyserver.runtime")
{
Scopes = { "policyserver.runtime" }
},
new ApiResource("policyserver.management")
{
Scopes = { "policyserver.runtime" }
}
};
}

public static IEnumerable<Client> GetClients()
{
return new List<Client>
{
// non-interactive
new Client
{
ClientId = "m2m",
ClientName = "Machine to machine (client credentials)",
ClientSecrets = { new Secret("secret".Sha256()) },

AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowedScopes = { "api", "policyserver.runtime", "policyserver.management" },
AllowedScopes = { "api", "api.scope1", "api.scope2", "scope2", "policyserver.runtime", "policyserver.management" },
},
new Client
{
Expand All @@ -50,10 +79,11 @@ public static IEnumerable<Client> GetClients()
ClientSecrets = { new Secret("secret".Sha256()) },

AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowedScopes = { "api" },
AllowedScopes = { "api", "api.scope1", "api.scope2", "scope2" },
AccessTokenLifetime = 75
},

// interactive
new Client
{
ClientId = "interactive.confidential",
Expand All @@ -63,14 +93,13 @@ public static IEnumerable<Client> GetClients()
PostLogoutRedirectUris = { "https://notused" },

ClientSecrets = { new Secret("secret".Sha256()) },
RequireConsent = false,

AllowedGrantTypes = GrantTypes.CodeAndClientCredentials,
RequirePkce = true,
AllowedScopes = { "openid", "profile", "email", "api" },
AllowedScopes = { "openid", "profile", "email", "api", "api.scope1", "api.scope2", "scope2" },

AllowOfflineAccess = true,
RefreshTokenUsage = TokenUsage.ReUse
RefreshTokenUsage = TokenUsage.ReUse,
RefreshTokenExpiration = TokenExpiration.Sliding
},
new Client
{
Expand All @@ -85,10 +114,12 @@ public static IEnumerable<Client> GetClients()

AllowedGrantTypes = GrantTypes.CodeAndClientCredentials,
RequirePkce = true,
AllowedScopes = { "openid", "profile", "email", "api" },
AllowedScopes = { "openid", "profile", "email", "api", "api.scope1", "api.scope2", "scope2" },

AllowOfflineAccess = true,
RefreshTokenUsage = TokenUsage.ReUse,
RefreshTokenExpiration = TokenExpiration.Sliding,

AccessTokenLifetime = 75
},

Expand All @@ -101,14 +132,13 @@ public static IEnumerable<Client> GetClients()
PostLogoutRedirectUris = { "https://notused" },

RequireClientSecret = false,
RequireConsent = false,

AllowedGrantTypes = GrantTypes.Code,
RequirePkce = true,
AllowedScopes = { "openid", "profile", "email", "api" },
AllowedScopes = { "openid", "profile", "email", "api", "api.scope1", "api.scope2", "scope2" },

AllowOfflineAccess = true,
RefreshTokenUsage = TokenUsage.ReUse
RefreshTokenUsage = TokenUsage.OneTimeOnly,
RefreshTokenExpiration = TokenExpiration.Sliding
},
new Client
{
Expand All @@ -119,14 +149,14 @@ public static IEnumerable<Client> GetClients()
PostLogoutRedirectUris = { "https://notused" },

RequireClientSecret = false,
RequireConsent = false,

AllowedGrantTypes = GrantTypes.Code,
RequirePkce = true,
AllowedScopes = { "openid", "profile", "email", "api" },
AllowedScopes = { "openid", "profile", "email", "api", "api.scope1", "api.scope2", "scope2" },

AllowOfflineAccess = true,
RefreshTokenUsage = TokenUsage.ReUse,
RefreshTokenUsage = TokenUsage.OneTimeOnly,
RefreshTokenExpiration = TokenExpiration.Sliding,

AccessTokenLifetime = 75
},

Expand All @@ -138,215 +168,12 @@ public static IEnumerable<Client> GetClients()
AllowedGrantTypes = GrantTypes.DeviceFlow,
RequireClientSecret = false,

AllowOfflineAccess = true,
AllowedScopes = { "openid", "profile", "email", "api" }
},


// legacy
new Client
{
ClientId = "native.hybrid",
ClientName = "Native Client (Hybrid with PKCE)",

RedirectUris = { "https://notused" },
PostLogoutRedirectUris = { "https://notused" },

RequireClientSecret = false,
RequireConsent = false,

AllowedGrantTypes = GrantTypes.Hybrid,
RequirePkce = true,
AllowedScopes = { "openid", "profile", "email", "api" },

AllowOfflineAccess = true,
RefreshTokenUsage = TokenUsage.ReUse
},
new Client
{
ClientId = "server.hybrid",
ClientName = "Server-based Client (Hybrid)",

RedirectUris = { "https://notused" },
PostLogoutRedirectUris = { "https://notused" },

ClientSecrets = { new Secret("secret".Sha256()) },
RequireConsent = false,

AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
AllowedScopes = { "openid", "profile", "email", "api" },

AllowOfflineAccess = true,
RefreshTokenUsage = TokenUsage.ReUse
},
new Client
{
ClientId = "server.hybrid.short",
ClientName = "Server-based Client (Hybrid)",

RedirectUris = { "https://notused" },
PostLogoutRedirectUris = { "https://notused" },

ClientSecrets = { new Secret("secret".Sha256()) },
RequireConsent = false,

AllowedGrantTypes = GrantTypes.HybridAndClientCredentials,
AllowedScopes = { "openid", "profile", "email", "api" },

AllowOfflineAccess = true,
RefreshTokenUsage = TokenUsage.ReUse,
AccessTokenLifetime = 70,
},
new Client
{
ClientId = "native.code",
ClientName = "Native Client (Code with PKCE)",

RedirectUris = { "https://notused" },
PostLogoutRedirectUris = { "https://notused" },

RequireClientSecret = false,
RequireConsent = false,

AllowedGrantTypes = GrantTypes.CodeAndClientCredentials,
RequirePkce = true,
AllowedScopes = { "openid", "profile", "email", "api" },

AllowOfflineAccess = true,
RefreshTokenUsage = TokenUsage.ReUse
},
new Client
{
ClientId = "server.code",
ClientName = "Server Client (Code)",

RedirectUris = { "https://notused" },
PostLogoutRedirectUris = { "https://notused" },

ClientSecrets = { new Secret("secret".Sha256()) },
RequireConsent = false,

AllowedGrantTypes = GrantTypes.CodeAndClientCredentials,
AllowedScopes = { "openid", "profile", "email", "api" },

AllowOfflineAccess = true,
RefreshTokenUsage = TokenUsage.ReUse
},
new Client
{
ClientId = "server.code.short",
ClientName = "Server Client (Code)",

RedirectUris = { "https://notused" },
PostLogoutRedirectUris = { "https://notused" },

ClientSecrets = { new Secret("secret".Sha256()) },
RequireConsent = false,

AllowedGrantTypes = GrantTypes.CodeAndClientCredentials,
AllowedScopes = { "openid", "profile", "email", "api" },

AllowOfflineAccess = true,
RefreshTokenUsage = TokenUsage.ReUse,
AccessTokenLifetime = 70
},

// server to server
new Client
{
ClientId = "client",
ClientSecrets = { new Secret("secret".Sha256()) },

AllowedGrantTypes = GrantTypes.ClientCredentials,
AllowedScopes = { "api" },
},

// SPA per new security guidance
new Client
{
ClientId = "spa",
ClientName = "SPA (Code + PKCE)",

RequireClientSecret = false,
RequireConsent = false,

RedirectUris = { "https://notused" },
PostLogoutRedirectUris = { "https://notused" },

AllowedGrantTypes = GrantTypes.Code,
AllowedScopes = { "openid", "profile", "email", "api" },

AllowOfflineAccess = true,
RefreshTokenUsage = TokenUsage.ReUse
},
new Client
{
ClientId = "spa.short",
ClientName = "SPA (Code + PKCE)",

RequireClientSecret = false,
RequireConsent = false,

RedirectUris = { "https://notused" },
PostLogoutRedirectUris = { "https://notused" },

AllowedGrantTypes = GrantTypes.Code,
AllowedScopes = { "openid", "profile", "email", "api" },

AllowOfflineAccess = true,
RefreshTokenUsage = TokenUsage.OneTimeOnly,
AccessTokenLifetime = 70
},

// implicit (e.g. SPA or OIDC authentication)
new Client
{
ClientId = "implicit",
ClientName = "Implicit Client",
AllowAccessTokensViaBrowser = true,
RequireConsent = false,

RedirectUris = { "https://notused" },
PostLogoutRedirectUris = { "https://notused" },
FrontChannelLogoutUri = "http://localhost:5000/signout-idsrv", // for testing identityserver on localhost

AllowedGrantTypes = GrantTypes.Implicit,
AllowedScopes = { "openid", "profile", "email", "api" },
},

// implicit using reference tokens (e.g. SPA or OIDC authentication)
new Client
{
ClientId = "implicit.reference",
ClientName = "Implicit Client using reference tokens",
AllowAccessTokensViaBrowser = true,

AccessTokenType = AccessTokenType.Reference,
RequireConsent = false,

RedirectUris = { "https://notused" },
PostLogoutRedirectUris = { "https://notused" },

AllowedGrantTypes = GrantTypes.Implicit,
AllowedScopes = { "openid", "profile", "email", "api" },
},

// implicit using reference tokens (e.g. SPA or OIDC authentication)
new Client
{
ClientId = "implicit.shortlived",
ClientName = "Implicit Client using short-lived tokens",
AllowAccessTokensViaBrowser = true,

AccessTokenLifetime = 70,
RequireConsent = false,

RedirectUris = { "https://notused" },
PostLogoutRedirectUris = { "https://notused" },

AllowedGrantTypes = GrantTypes.Implicit,
AllowedScopes = { "openid", "profile", "email", "api" },
},
RefreshTokenExpiration = TokenExpiration.Sliding,

AllowedScopes = { "openid", "profile", "email", "api", "api.scope1", "api.scope2", "scope2" }
}
};
}
}
Expand Down
Loading

0 comments on commit ab6c5b8

Please sign in to comment.