Skip to content

Add AdditionalAuthorizationParameters to OAuthOptions/OpenIdConnectOptions #54119

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
Feb 23, 2024
Merged

Add AdditionalAuthorizationParameters to OAuthOptions/OpenIdConnectOptions #54119

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ca8a3df
Add AdditionalAuthorizationParameters to OAuthOptions/OpenIdConnectOp…
joegoldman2 Feb 19, 2024
6d43693
Update src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHan…
joegoldman2 Feb 19, 2024
805650e
Remove unnecessary alloc
joegoldman2 Feb 20, 2024
45b965b
Apply suggestions from code review
halter73 Feb 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
17 changes: 11 additions & 6 deletions src/Security/Authentication/OAuth/src/OAuthHandler.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -303,12 +303,12 @@ protected virtual string BuildChallengeUrl(AuthenticationProperties properties,
var scope = scopeParameter != null ? FormatScope(scopeParameter) : FormatScope();

var parameters = new Dictionary<string, string>
{
{ "client_id", Options.ClientId },
{ "scope", scope },
{ "response_type", "code" },
{ "redirect_uri", redirectUri },
};
{
{ "client_id", Options.ClientId },
{ "scope", scope },
{ "response_type", "code" },
{ "redirect_uri", redirectUri },
};

if (Options.UsePkce)
{
Expand All @@ -328,6 +328,11 @@ protected virtual string BuildChallengeUrl(AuthenticationProperties properties,

parameters["state"] = Options.StateDataFormat.Protect(properties);

foreach (var additionalParameter in Options.AdditionalAuthorizationParameters)
{
parameters.Add(additionalParameter.Key, additionalParameter.Value);
}

return QueryHelpers.AddQueryString(Options.AuthorizationEndpoint, parameters!);
}

Expand Down
10 changes: 10 additions & 0 deletions src/Security/Authentication/OAuth/src/OAuthOptions.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,16 @@ public override void Validate()
/// </summary>
public ICollection<string> Scope { get; } = new HashSet<string>();

/// <summary>
/// Gets the additional parameters that will be included in the authorization request.
/// </summary>
/// <remarks>
/// The additional parameters can be used to customize the authorization request,
/// providing extra information or fulfilling specific requirements of the OAuth provider.
/// These parameters are typically, but not always, appended to the query string.
/// </remarks>
public IDictionary<string, string> AdditionalAuthorizationParameters { get; } = new Dictionary<string, string>();

/// <summary>
/// Gets or sets the type used to secure data handled by the middleware.
/// </summary>
Expand Down
1 change: 1 addition & 0 deletions src/Security/Authentication/OAuth/src/PublicAPI.Unshipped.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
#nullable enable
Microsoft.AspNetCore.Authentication.OAuth.OAuthOptions.AdditionalAuthorizationParameters.get -> System.Collections.Generic.IDictionary<string!, string!>!
5 changes: 5 additions & 0 deletions src/Security/Authentication/OpenIdConnect/src/OpenIdConnectHandler.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -450,6 +450,11 @@ private async Task HandleChallengeAsyncInternal(AuthenticationProperties propert

GenerateCorrelationId(properties);

foreach (var additionalParameter in Options.AdditionalAuthorizationParameters)
{
message.Parameters.Add(additionalParameter.Key, additionalParameter.Value);
}

var redirectContext = new RedirectContext(Context, Scheme, Options, properties)
{
ProtocolMessage = message
Expand Down
10 changes: 10 additions & 0 deletions src/Security/Authentication/OpenIdConnect/src/OpenIdConnectOptions.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -236,6 +236,16 @@ public override void Validate()
/// </summary>
public ICollection<string> Scope { get; } = new HashSet<string>();

/// <summary>
/// Gets the additional parameters that will be included in the authorization request.
/// </summary>
/// <remarks>
/// The additional parameters can be used to customize the authorization request,
/// providing extra information or fulfilling specific requirements of the OpenIdConnect provider.
/// These parameters are typically, but not always, appended to the query string.
/// </remarks>
public IDictionary<string, string> AdditionalAuthorizationParameters { get; } = new Dictionary<string, string>();

/// <summary>
/// Requests received on this path will cause the handler to invoke SignOut using the SignOutScheme.
/// </summary>
Expand Down
1 change: 1 addition & 0 deletions src/Security/Authentication/OpenIdConnect/src/PublicAPI.Unshipped.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1 +1,2 @@
#nullable enable
Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectOptions.AdditionalAuthorizationParameters.get -> System.Collections.Generic.IDictionary<string!, string!>!
26 changes: 26 additions & 0 deletions src/Security/Authentication/test/OAuthTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -193,6 +193,32 @@ public async Task RedirectToAuthorizeEndpoint_HasScopeAsConfigured()
Assert.Contains("scope=foo%20bar", res.Headers.Location.Query);
}

[Fact]
public async Task RedirectToAuthorizeEndpoint_HasAdditionalAuthorizationParametersAsConfigured()
{
using var host = await CreateHost(
s => s.AddAuthentication(o => o.DisableAutoDefaultScheme = true).AddOAuth(
"Weblie",
opt =>
{
ConfigureDefaults(opt);
opt.AdditionalAuthorizationParameters.Add("prompt", "login");
opt.AdditionalAuthorizationParameters.Add("audience", "https://api.example.com");
}),
async ctx =>
{
await ctx.ChallengeAsync("Weblie");
return true;
});

using var server = host.GetTestServer();
var transaction = await server.SendAsync("https://www.example.com/challenge");
var res = transaction.Response;

Assert.Equal(HttpStatusCode.Redirect, res.StatusCode);
Assert.Contains("prompt=login&audience=https%3A%2F%2Fapi.example.com", res.Headers.Location.Query);
}

[Fact]
public async Task RedirectToAuthorizeEndpoint_HasScopeAsOverwritten()
{
Expand Down
21 changes: 21 additions & 0 deletions src/Security/Authentication/test/OpenIdConnect/OpenIdConnectChallengeTests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -670,4 +670,25 @@ public async Task Challenge_HasOverwrittenMaxAgeParaFromBaseAuthenticationProper
settings.ValidateChallengeRedirect(res.Headers.Location);
Assert.Contains("max_age=1234", res.Headers.Location.Query);
}

[Fact]
public async Task Challenge_WithAdditionalAuthorizationParameters()
{
var settings = new TestSettings(opt =>
{
opt.ClientId = "Test Id";
opt.Authority = TestServerBuilder.DefaultAuthority;
opt.AdditionalAuthorizationParameters.Add("prompt", "login");
opt.AdditionalAuthorizationParameters.Add("audience", "https://api.example.com");
});

var server = settings.CreateTestServer();
var transaction = await server.SendAsync(TestServerBuilder.TestHost + TestServerBuilder.ChallengeWithProperties);

var res = transaction.Response;

Assert.Equal(HttpStatusCode.Redirect, res.StatusCode);
settings.ValidateChallengeRedirect(res.Headers.Location);
Assert.Contains("prompt=login&audience=https%3A%2F%2Fapi.example.com", res.Headers.Location.Query);
}
}