Support POST OpenID Connect authentication/logout requests #392
Conversation
| <?xml version="1.0" encoding="utf-8"?> | ||
| <configuration> | ||
| <packageSources> | ||
| <add key="aspnet-contrib" value="https://www.myget.org/F/aspnet-contrib/" /> |
There was a problem hiding this comment.
I'll undo these changes when we're ready to merge this PR.
|
Forking the comment thread so GitHub will stop hiding it: #392 (comment) |
|
@Tratcher thanks! [sarcastic mode] |
| @@ -4,5 +4,8 @@ | |||
| <add key="AspNetVNext" value="https://www.myget.org/F/aspnetvnext/api/v2" /> | |||
| <add key="NuGet" value="https://nuget.org/api/v2/" /> | |||
| <add key="AzureAD" value="http://www.myget.org/F/azureadwebstacknightly"/> | |||
| <add key="aspnet-contrib" value="https://www.myget.org/F/aspnet-contrib/" /> | |||
| <add key="Roslyn" value="https://www.myget.org/F/roslyn-nightly/" /> | |||
There was a problem hiding this comment.
These changes have nothing to do in this PR but are required to make CI happy.
I opened a ticket to track this omission (#399) and I'll remove them before squashing.
|
@Tratcher hey. Did you hear back from your OIDC specs specialist? |
|
There is still some debate, but they recommended supporting it. |
|
No words about the methods the logout endpoint should support? |
|
That's what I meant, they said both endpoint should support POSTs. |
|
Ah, interesting. Should we add another property to control the logout method, or should we use AuthenticationMethod for that? |
|
I'd control them both from the same option. I don't know why you'd want to separate them. |
|
Well, I guess an authentication server could support POST for the authorization endpoint (since it's mandatory 😄) but not for the end session endpoint. |
|
PR rebased and updated to support POST logout requests. FYI, I'll be absent this week, but I guess this PR is not critical and can wait a bit. I'll react to your feedback next week 👍 |
|
I'm back! 😄 @blowdart no security concern with this PR? |
kevinchalet
changed the title
|
|
||
| var issuer = Options.HtmlEncoder.HtmlEncode(message.IssuerAddress); | ||
|
|
||
| var content = string.Format(CultureInfo.InvariantCulture, HtmlFormFormat, issuer, inputs); |
There was a problem hiding this comment.
Use string interpolation rather than {0}, {1}
There was a problem hiding this comment.
Then we'll have to de-constant-ize (I love that verb 😄) HtmlFormFormat.
See this comment for why I prefer avoiding using string interpolation on .NET 4.5.1 (though it's a great feature): #392 (comment)
|
|
pending any remaining comments from 
|
Nothing from me. |
| @@ -30,6 +32,22 @@ public class OpenIdConnectAuthenticationHandler : AuthenticationHandler<OpenIdCo | |||
| { | |||
| private const string NonceProperty = "N"; | |||
| private const string UriSchemeDelimiter = "://"; | |||
|
|
|||
| private const string InputTagFormat = @"<input type=""hidden"" name=""{0}"" value=""{1}"" />"; | |||
There was a problem hiding this comment.
@blowdart please make sure you review these codez for HTML injection / CSRF / etc.
There was a problem hiding this comment.
I did, it's used further down at line 132, with encoding happening in the previous 2 lines.
Fixes #295.
@Eilon as promised in my last mail, here are the first bits of the new POST authentication/authorization requests support for OIDC.
/cc @Eilon @HaoK @Tratcher