├── .github
    └── workflows
    │   └── dotnet.yml
├── .gitignore
├── BffOidc.Server.sln
├── CHANGELOG.md
├── IdentityProvider
    ├── Areas
    │   └── Identity
    │   │   ├── IdentityHostingStartup.cs
    │   │   └── Pages
    │   │       ├── Account
    │   │           ├── Login.cshtml
    │   │           ├── Login.cshtml.cs
    │   │           ├── LoginFido2Mfa.cshtml
    │   │           ├── LoginFido2Mfa.cshtml.cs
    │   │           ├── Manage
    │   │           │   ├── Disable2fa.cshtml
    │   │           │   ├── Disable2fa.cshtml.cs
    │   │           │   ├── Fido2Mfa.cshtml
    │   │           │   ├── Fido2Mfa.cshtml.cs
    │   │           │   ├── ManageNavPages.cs
    │   │           │   ├── TwoFactorAuthentication.cshtml
    │   │           │   ├── TwoFactorAuthentication.cshtml.cs
    │   │           │   ├── _ManageNav.cshtml
    │   │           │   └── _ViewImports.cshtml
    │   │           └── _ViewImports.cshtml
    │   │       ├── _ValidationScriptsPartial.cshtml
    │   │       ├── _ViewImports.cshtml
    │   │       └── _ViewStart.cshtml
    ├── Controllers
    │   ├── AuthorizationController.cs
    │   ├── ErrorController.cs
    │   ├── HomeController.cs
    │   ├── ResourceController.cs
    │   └── UserinfoController.cs
    ├── Data
    │   ├── ApplicationDbContext.cs
    │   └── ApplicationUser.cs
    ├── Fido2
    │   ├── Fido2Store.cs
    │   ├── Fido2UserTwoFactorTokenProvider.cs
    │   ├── FidoStoredCredential.cs
    │   ├── MfaFido2RegisterController.cs
    │   ├── MfaFido2SignInFidoController.cs
    │   ├── PwFido2RegisterController.cs
    │   └── PwFido2SignInController.cs
    ├── Helpers
    │   ├── AsyncEnumerableExtensions.cs
    │   └── FormValueRequiredAttribute.cs
    ├── IdentityProvider.csproj
    ├── Migrations
    │   ├── 20220827060047_add-fido2.Designer.cs
    │   ├── 20220827060047_add-fido2.cs
    │   ├── 20240229095541_UpdateOidc.Designer.cs
    │   ├── 20240229095541_UpdateOidc.cs
    │   ├── 20240229100936_update-oidc.Designer.cs
    │   ├── 20240229100936_update-oidc.cs
    │   └── ApplicationDbContextModelSnapshot.cs
    ├── Program.cs
    ├── Properties
    │   └── launchSettings.json
    ├── ViewModels
    │   ├── Authorization
    │   │   └── AuthorizeViewModel.cs
    │   └── Shared
    │   │   └── ErrorViewModel.cs
    ├── Views
    │   ├── Authorization
    │   │   ├── Authorize.cshtml
    │   │   └── Logout.cshtml
    │   ├── Home
    │   │   ├── Index.cshtml
    │   │   └── Privacy.cshtml
    │   ├── Shared
    │   │   ├── Error.cshtml
    │   │   ├── _Layout.cshtml
    │   │   ├── _Layout.cshtml.css
    │   │   └── _LoginPartial.cshtml
    │   ├── _ViewImports.cshtml
    │   └── _ViewStart.cshtml
    ├── Worker.cs
    ├── appsettings.json
    ├── usersdatabase.sqlite
    └── wwwroot
    │   ├── css
    │       └── site.css
    │   ├── favicon.ico
    │   ├── images
    │       ├── securitykey.min.svg
    │       └── securitykey.svg
    │   ├── js
    │       ├── helpers.js
    │       ├── instant.js
    │       ├── mfa.login.js
    │       ├── mfa.register.js
    │       └── site.js
    │   └── lib
    │       ├── bootstrap
    │           ├── LICENSE
    │           └── dist
    │           │   ├── css
    │           │       ├── bootstrap-grid.css
    │           │       ├── bootstrap-grid.css.map
    │           │       ├── bootstrap-grid.min.css
    │           │       ├── bootstrap-grid.min.css.map
    │           │       ├── bootstrap-grid.rtl.css
    │           │       ├── bootstrap-grid.rtl.css.map
    │           │       ├── bootstrap-grid.rtl.min.css
    │           │       ├── bootstrap-grid.rtl.min.css.map
    │           │       ├── bootstrap-reboot.css
    │           │       ├── bootstrap-reboot.css.map
    │           │       ├── bootstrap-reboot.min.css
    │           │       ├── bootstrap-reboot.min.css.map
    │           │       ├── bootstrap-reboot.rtl.css
    │           │       ├── bootstrap-reboot.rtl.css.map
    │           │       ├── bootstrap-reboot.rtl.min.css
    │           │       ├── bootstrap-reboot.rtl.min.css.map
    │           │       ├── bootstrap-utilities.css
    │           │       ├── bootstrap-utilities.css.map
    │           │       ├── bootstrap-utilities.min.css
    │           │       ├── bootstrap-utilities.min.css.map
    │           │       ├── bootstrap-utilities.rtl.css
    │           │       ├── bootstrap-utilities.rtl.css.map
    │           │       ├── bootstrap-utilities.rtl.min.css
    │           │       ├── bootstrap-utilities.rtl.min.css.map
    │           │       ├── bootstrap.css
    │           │       ├── bootstrap.css.map
    │           │       ├── bootstrap.min.css
    │           │       ├── bootstrap.min.css.map
    │           │       ├── bootstrap.rtl.css
    │           │       ├── bootstrap.rtl.css.map
    │           │       ├── bootstrap.rtl.min.css
    │           │       └── bootstrap.rtl.min.css.map
    │           │   └── js
    │           │       ├── bootstrap.bundle.js
    │           │       ├── bootstrap.bundle.js.map
    │           │       ├── bootstrap.bundle.min.js
    │           │       ├── bootstrap.bundle.min.js.map
    │           │       ├── bootstrap.esm.js
    │           │       ├── bootstrap.esm.js.map
    │           │       ├── bootstrap.esm.min.js
    │           │       ├── bootstrap.esm.min.js.map
    │           │       ├── bootstrap.js
    │           │       ├── bootstrap.js.map
    │           │       ├── bootstrap.min.js
    │           │       └── bootstrap.min.js.map
    │       ├── jquery-validation-unobtrusive
    │           ├── LICENSE.txt
    │           └── dist
    │           │   ├── jquery.validate.unobtrusive.js
    │           │   └── jquery.validate.unobtrusive.min.js
    │       ├── jquery-validation
    │           ├── LICENSE.md
    │           └── dist
    │           │   ├── additional-methods.js
    │           │   ├── additional-methods.min.js
    │           │   ├── jquery.validate.js
    │           │   └── jquery.validate.min.js
    │       └── jquery
    │           ├── LICENSE.txt
    │           └── dist
    │               ├── jquery.js
    │               ├── jquery.min.js
    │               ├── jquery.min.map
    │               ├── jquery.slim.js
    │               ├── jquery.slim.min.js
    │               └── jquery.slim.min.map
├── LICENSE
├── README.md
├── bff
    ├── server
    │   ├── BffOidc.Server.csproj
    │   ├── Controllers
    │   │   ├── AccountController.cs
    │   │   ├── DirectApiController.cs
    │   │   └── UserController.cs
    │   ├── Models
    │   │   ├── ClaimValue.cs
    │   │   └── UserInfo.cs
    │   ├── Pages
    │   │   ├── Error.cshtml
    │   │   ├── Error.cshtml.cs
    │   │   └── _Host.cshtml
    │   ├── Program.cs
    │   ├── Properties
    │   │   └── launchSettings.json
    │   ├── SecurityHeadersDefinitions.cs
    │   ├── Services
    │   │   ├── ApplicationBuilderExtensions.cs
    │   │   └── EndpointRouteBuilderExtensions.cs
    │   ├── appsettings.Development.json
    │   ├── appsettings.json
    │   └── wwwroot
    │   │   ├── assets
    │   │       ├── index-87c75793.css
    │   │       ├── index-88585cd9.js
    │   │       └── vue-5532db34.svg
    │   │   ├── index.html
    │   │   └── vite.svg
    └── ui
    │   ├── .gitignore
    │   ├── .vscode
    │       └── extensions.json
    │   ├── README.md
    │   ├── certs
    │       ├── Readme.md
    │       ├── dev_localhost.crt
    │       ├── dev_localhost.key
    │       └── dev_localhost.pem
    │   ├── index.html
    │   ├── package-lock.json
    │   ├── package.json
    │   ├── public
    │       └── vite.svg
    │   ├── src
    │       ├── App.vue
    │       ├── assets
    │       │   └── vue.svg
    │       ├── components
    │       │   ├── HelloWorld.vue
    │       │   └── ResultsDisplay.vue
    │       ├── getCookie.ts
    │       ├── main.ts
    │       ├── style.css
    │       └── vite-env.d.ts
    │   ├── tsconfig.json
    │   ├── tsconfig.node.json
    │   └── vite.config.ts
└── images
    ├── .$vue-aspnetcore-bff-yarp-dev.drawio.png.bkp
    ├── .$vue-aspnetcore-bff.drawio.png.bkp
    ├── vue-aspnetcore-bff-02.png
    ├── vue-aspnetcore-bff-yarp-dev.drawio.png
    └── vue-aspnetcore-bff.drawio.png


/.github/workflows/dotnet.yml:
--------------------------------------------------------------------------------
 1 | 
 2 | name: .NET and npm build
 3 | 
 4 | on:
 5 |   push:
 6 |     branches: [ "main" ]
 7 |   pull_request:
 8 |     branches: [ "main" ]
 9 | 
10 | jobs:
11 |   build:
12 |     runs-on: ubuntu-latest
13 | 
14 |     steps:
15 | 
16 |       - uses: actions/checkout@v4
17 |       - name: Setup .NET
18 |         uses: actions/setup-dotnet@v4
19 |         with:
20 |           dotnet-version: 9.0.x
21 | 
22 |       - name: Restore dependencies
23 |         run: dotnet restore
24 | 
25 |       - name: npm setup
26 |         working-directory: bff/ui
27 |         run: npm install
28 | 
29 |       - name: ui-build
30 |         working-directory: bff/ui
31 |         run: npm run build
32 | 
33 |       - name: Build
34 |         run: dotnet build --no-restore
35 |       - name: Test
36 |         run: dotnet test --no-build --verbosity normal
37 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
  1 | ## Ignore Visual Studio temporary files, build results, and
  2 | ## files generated by popular Visual Studio add-ons.
  3 | ##
  4 | ## Get latest from https://github.com/github/gitignore/blob/main/VisualStudio.gitignore
  5 | 
  6 | # User-specific files
  7 | *.rsuser
  8 | *.suo
  9 | *.user
 10 | *.userosscache
 11 | *.sln.docstates
 12 | 
 13 | # User-specific files (MonoDevelop/Xamarin Studio)
 14 | *.userprefs
 15 | 
 16 | # Mono auto generated files
 17 | mono_crash.*
 18 | 
 19 | # Build results
 20 | [Dd]ebug/
 21 | [Dd]ebugPublic/
 22 | [Rr]elease/
 23 | [Rr]eleases/
 24 | x64/
 25 | x86/
 26 | [Ww][Ii][Nn]32/
 27 | [Aa][Rr][Mm]/
 28 | [Aa][Rr][Mm]64/
 29 | bld/
 30 | [Bb]in/
 31 | [Oo]bj/
 32 | [Ll]og/
 33 | [Ll]ogs/
 34 | 
 35 | # Visual Studio 2015/2017 cache/options directory
 36 | .vs/
 37 | # Uncomment if you have tasks that create the project's static files in wwwroot
 38 | #wwwroot/
 39 | 
 40 | # Visual Studio 2017 auto generated files
 41 | Generated\ Files/
 42 | 
 43 | # MSTest test Results
 44 | [Tt]est[Rr]esult*/
 45 | [Bb]uild[Ll]og.*
 46 | 
 47 | # NUnit
 48 | *.VisualState.xml
 49 | TestResult.xml
 50 | nunit-*.xml
 51 | 
 52 | # Build Results of an ATL Project
 53 | [Dd]ebugPS/
 54 | [Rr]eleasePS/
 55 | dlldata.c
 56 | 
 57 | # Benchmark Results
 58 | BenchmarkDotNet.Artifacts/
 59 | 
 60 | # .NET Core
 61 | project.lock.json
 62 | project.fragment.lock.json
 63 | artifacts/
 64 | 
 65 | # ASP.NET Scaffolding
 66 | ScaffoldingReadMe.txt
 67 | 
 68 | # StyleCop
 69 | StyleCopReport.xml
 70 | 
 71 | # Files built by Visual Studio
 72 | *_i.c
 73 | *_p.c
 74 | *_h.h
 75 | *.ilk
 76 | *.meta
 77 | *.obj
 78 | *.iobj
 79 | *.pch
 80 | *.pdb
 81 | *.ipdb
 82 | *.pgc
 83 | *.pgd
 84 | *.rsp
 85 | *.sbr
 86 | *.tlb
 87 | *.tli
 88 | *.tlh
 89 | *.tmp
 90 | *.tmp_proj
 91 | *_wpftmp.csproj
 92 | *.log
 93 | *.tlog
 94 | *.vspscc
 95 | *.vssscc
 96 | .builds
 97 | *.pidb
 98 | *.svclog
 99 | *.scc
100 | 
101 | # Chutzpah Test files
102 | _Chutzpah*
103 | 
104 | # Visual C++ cache files
105 | ipch/
106 | *.aps
107 | *.ncb
108 | *.opendb
109 | *.opensdf
110 | *.sdf
111 | *.cachefile
112 | *.VC.db
113 | *.VC.VC.opendb
114 | 
115 | # Visual Studio profiler
116 | *.psess
117 | *.vsp
118 | *.vspx
119 | *.sap
120 | 
121 | # Visual Studio Trace Files
122 | *.e2e
123 | 
124 | # TFS 2012 Local Workspace
125 | $tf/
126 | 
127 | # Guidance Automation Toolkit
128 | *.gpState
129 | 
130 | # ReSharper is a .NET coding add-in
131 | _ReSharper*/
132 | *.[Rr]e[Ss]harper
133 | *.DotSettings.user
134 | 
135 | # TeamCity is a build add-in
136 | _TeamCity*
137 | 
138 | # DotCover is a Code Coverage Tool
139 | *.dotCover
140 | 
141 | # AxoCover is a Code Coverage Tool
142 | .axoCover/*
143 | !.axoCover/settings.json
144 | 
145 | # Coverlet is a free, cross platform Code Coverage Tool
146 | coverage*.json
147 | coverage*.xml
148 | coverage*.info
149 | 
150 | # Visual Studio code coverage results
151 | *.coverage
152 | *.coveragexml
153 | 
154 | # NCrunch
155 | _NCrunch_*
156 | .*crunch*.local.xml
157 | nCrunchTemp_*
158 | 
159 | # MightyMoose
160 | *.mm.*
161 | AutoTest.Net/
162 | 
163 | # Web workbench (sass)
164 | .sass-cache/
165 | 
166 | # Installshield output folder
167 | [Ee]xpress/
168 | 
169 | # DocProject is a documentation generator add-in
170 | DocProject/buildhelp/
171 | DocProject/Help/*.HxT
172 | DocProject/Help/*.HxC
173 | DocProject/Help/*.hhc
174 | DocProject/Help/*.hhk
175 | DocProject/Help/*.hhp
176 | DocProject/Help/Html2
177 | DocProject/Help/html
178 | 
179 | # Click-Once directory
180 | publish/
181 | 
182 | # Publish Web Output
183 | *.[Pp]ublish.xml
184 | *.azurePubxml
185 | # Note: Comment the next line if you want to checkin your web deploy settings,
186 | # but database connection strings (with potential passwords) will be unencrypted
187 | *.pubxml
188 | *.publishproj
189 | 
190 | # Microsoft Azure Web App publish settings. Comment the next line if you want to
191 | # checkin your Azure Web App publish settings, but sensitive information contained
192 | # in these scripts will be unencrypted
193 | PublishScripts/
194 | 
195 | # NuGet Packages
196 | *.nupkg
197 | # NuGet Symbol Packages
198 | *.snupkg
199 | # The packages folder can be ignored because of Package Restore
200 | **/[Pp]ackages/*
201 | # except build/, which is used as an MSBuild target.
202 | !**/[Pp]ackages/build/
203 | # Uncomment if necessary however generally it will be regenerated when needed
204 | #!**/[Pp]ackages/repositories.config
205 | # NuGet v3's project.json files produces more ignorable files
206 | *.nuget.props
207 | *.nuget.targets
208 | 
209 | # Microsoft Azure Build Output
210 | csx/
211 | *.build.csdef
212 | 
213 | # Microsoft Azure Emulator
214 | ecf/
215 | rcf/
216 | 
217 | # Windows Store app package directories and files
218 | AppPackages/
219 | BundleArtifacts/
220 | Package.StoreAssociation.xml
221 | _pkginfo.txt
222 | *.appx
223 | *.appxbundle
224 | *.appxupload
225 | 
226 | # Visual Studio cache files
227 | # files ending in .cache can be ignored
228 | *.[Cc]ache
229 | # but keep track of directories ending in .cache
230 | !?*.[Cc]ache/
231 | 
232 | # Others
233 | ClientBin/
234 | ~$*
235 | *~
236 | *.dbmdl
237 | *.dbproj.schemaview
238 | *.jfm
239 | *.pfx
240 | *.publishsettings
241 | orleans.codegen.cs
242 | 
243 | # Including strong name files can present a security risk
244 | # (https://github.com/github/gitignore/pull/2483#issue-259490424)
245 | #*.snk
246 | 
247 | # Since there are multiple workflows, uncomment next line to ignore bower_components
248 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
249 | #bower_components/
250 | 
251 | # RIA/Silverlight projects
252 | Generated_Code/
253 | 
254 | # Backup & report files from converting an old project file
255 | # to a newer Visual Studio version. Backup files are not needed,
256 | # because we have git ;-)
257 | _UpgradeReport_Files/
258 | Backup*/
259 | UpgradeLog*.XML
260 | UpgradeLog*.htm
261 | ServiceFabricBackup/
262 | *.rptproj.bak
263 | 
264 | # SQL Server files
265 | *.mdf
266 | *.ldf
267 | *.ndf
268 | 
269 | # Business Intelligence projects
270 | *.rdl.data
271 | *.bim.layout
272 | *.bim_*.settings
273 | *.rptproj.rsuser
274 | *- [Bb]ackup.rdl
275 | *- [Bb]ackup ([0-9]).rdl
276 | *- [Bb]ackup ([0-9][0-9]).rdl
277 | 
278 | # Microsoft Fakes
279 | FakesAssemblies/
280 | 
281 | # GhostDoc plugin setting file
282 | *.GhostDoc.xml
283 | 
284 | # Node.js Tools for Visual Studio
285 | .ntvs_analysis.dat
286 | node_modules/
287 | 
288 | # Visual Studio 6 build log
289 | *.plg
290 | 
291 | # Visual Studio 6 workspace options file
292 | *.opt
293 | 
294 | # Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
295 | *.vbw
296 | 
297 | # Visual Studio 6 auto-generated project file (contains which files were open etc.)
298 | *.vbp
299 | 
300 | # Visual Studio 6 workspace and project file (working project files containing files to include in project)
301 | *.dsw
302 | *.dsp
303 | 
304 | # Visual Studio 6 technical files
305 | *.ncb
306 | *.aps
307 | 
308 | # Visual Studio LightSwitch build output
309 | **/*.HTMLClient/GeneratedArtifacts
310 | **/*.DesktopClient/GeneratedArtifacts
311 | **/*.DesktopClient/ModelManifest.xml
312 | **/*.Server/GeneratedArtifacts
313 | **/*.Server/ModelManifest.xml
314 | _Pvt_Extensions
315 | 
316 | # Paket dependency manager
317 | .paket/paket.exe
318 | paket-files/
319 | 
320 | # FAKE - F# Make
321 | .fake/
322 | 
323 | # CodeRush personal settings
324 | .cr/personal
325 | 
326 | # Python Tools for Visual Studio (PTVS)
327 | __pycache__/
328 | *.pyc
329 | 
330 | # Cake - Uncomment if you are using it
331 | # tools/**
332 | # !tools/packages.config
333 | 
334 | # Tabs Studio
335 | *.tss
336 | 
337 | # Telerik's JustMock configuration file
338 | *.jmconfig
339 | 
340 | # BizTalk build output
341 | *.btp.cs
342 | *.btm.cs
343 | *.odx.cs
344 | *.xsd.cs
345 | 
346 | # OpenCover UI analysis results
347 | OpenCover/
348 | 
349 | # Azure Stream Analytics local run output
350 | ASALocalRun/
351 | 
352 | # MSBuild Binary and Structured Log
353 | *.binlog
354 | 
355 | # NVidia Nsight GPU debugger configuration file
356 | *.nvuser
357 | 
358 | # MFractors (Xamarin productivity tool) working folder
359 | .mfractor/
360 | 
361 | # Local History for Visual Studio
362 | .localhistory/
363 | 
364 | # Visual Studio History (VSHistory) files
365 | .vshistory/
366 | 
367 | # BeatPulse healthcheck temp database
368 | healthchecksdb
369 | 
370 | # Backup folder for Package Reference Convert tool in Visual Studio 2017
371 | MigrationBackup/
372 | 
373 | # Ionide (cross platform F# VS Code tools) working folder
374 | .ionide/
375 | 
376 | # Fody - auto-generated XML schema
377 | FodyWeavers.xsd
378 | 
379 | # VS Code files for those working on multiple tools
380 | .vscode/*
381 | !.vscode/settings.json
382 | !.vscode/tasks.json
383 | !.vscode/launch.json
384 | !.vscode/extensions.json
385 | *.code-workspace
386 | 
387 | # Local History for Visual Studio Code
388 | .history/
389 | 
390 | # Windows Installer files from build outputs
391 | *.cab
392 | *.msi
393 | *.msix
394 | *.msm
395 | *.msp
396 | 
397 | # JetBrains Rider
398 | *.sln.iml
399 | 


--------------------------------------------------------------------------------
/BffOidc.Server.sln:
--------------------------------------------------------------------------------
 1 | 
 2 | Microsoft Visual Studio Solution File, Format Version 12.00
 3 | # Visual Studio Version 17
 4 | VisualStudioVersion = 17.6.33829.357
 5 | MinimumVisualStudioVersion = 10.0.40219.1
 6 | Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{9D8FB767-F7A7-4A5B-A4E9-DC6DB6BCD941}"
 7 | 	ProjectSection(SolutionItems) = preProject
 8 | 		CHANGELOG.md = CHANGELOG.md
 9 | 		.github\workflows\dotnet.yml = .github\workflows\dotnet.yml
10 | 		README.md = README.md
11 | 	EndProjectSection
12 | EndProject
13 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "BffOidc.Server", "bff\server\BffOidc.Server.csproj", "{6C879A0D-453D-41E2-970B-58B4BD45FB95}"
14 | EndProject
15 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "IdentityProvider", "IdentityProvider\IdentityProvider.csproj", "{16ED6BD1-57B3-4C21-8F1A-4E49EF8EDB00}"
16 | EndProject
17 | Global
18 | 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
19 | 		Debug|Any CPU = Debug|Any CPU
20 | 		Release|Any CPU = Release|Any CPU
21 | 	EndGlobalSection
22 | 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
23 | 		{6C879A0D-453D-41E2-970B-58B4BD45FB95}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
24 | 		{6C879A0D-453D-41E2-970B-58B4BD45FB95}.Debug|Any CPU.Build.0 = Debug|Any CPU
25 | 		{6C879A0D-453D-41E2-970B-58B4BD45FB95}.Release|Any CPU.ActiveCfg = Release|Any CPU
26 | 		{6C879A0D-453D-41E2-970B-58B4BD45FB95}.Release|Any CPU.Build.0 = Release|Any CPU
27 | 		{16ED6BD1-57B3-4C21-8F1A-4E49EF8EDB00}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
28 | 		{16ED6BD1-57B3-4C21-8F1A-4E49EF8EDB00}.Debug|Any CPU.Build.0 = Debug|Any CPU
29 | 		{16ED6BD1-57B3-4C21-8F1A-4E49EF8EDB00}.Release|Any CPU.ActiveCfg = Release|Any CPU
30 | 		{16ED6BD1-57B3-4C21-8F1A-4E49EF8EDB00}.Release|Any CPU.Build.0 = Release|Any CPU
31 | 	EndGlobalSection
32 | 	GlobalSection(SolutionProperties) = preSolution
33 | 		HideSolutionNode = FALSE
34 | 	EndGlobalSection
35 | 	GlobalSection(ExtensibilityGlobals) = postSolution
36 | 		SolutionGuid = {BD95AC6A-7177-42CE-AB6C-8BFF7958FDC2}
37 | 	EndGlobalSection
38 | EndGlobal
39 | 


--------------------------------------------------------------------------------
/CHANGELOG.md:
--------------------------------------------------------------------------------
 1 | ## ASP.NET Core, Vue.js BFF using OpenID Connect Changelog
 2 | 
 3 | ### 2025-05-27 0.0.4
 4 | - Updated packages
 5 | 
 6 | ### 2024-12-31 0.0.3
 7 | - Bootstrap 5 used in IDP
 8 | 
 9 | ### 2024-12-18 0.0.2
10 | - .NET 9
11 | - OpenIddict 6.0
12 | 
13 | ### 2024-11-07 0.0.1
14 | - Initial version using Vue.js (Typescript & Vite) and ASP.NET Core
15 |   - ASP.NET Core version 9.x
16 |   - Vue.js (typescript & vite)
17 |   - CRSF used in web requests
18 |   - Strong CSP in production
19 |   - Azure deployment pipeline
20 |   - Yarp proxy for development
21 | 


--------------------------------------------------------------------------------
/IdentityProvider/Areas/Identity/IdentityHostingStartup.cs:
--------------------------------------------------------------------------------
 1 | [assembly: HostingStartup(typeof(OpeniddictServer.Areas.Identity.IdentityHostingStartup))]
 2 | namespace OpeniddictServer.Areas.Identity
 3 | {
 4 |     public class IdentityHostingStartup : IHostingStartup
 5 |     {
 6 |         public void Configure(IWebHostBuilder builder)
 7 |         {
 8 |             builder.ConfigureServices((context, services) =>
 9 |             {
10 |             });
11 |         }
12 |     }
13 | }
14 | 


--------------------------------------------------------------------------------
/IdentityProvider/Areas/Identity/Pages/Account/Login.cshtml:
--------------------------------------------------------------------------------
 1 | @page
 2 | @model LoginModel
 3 | 
 4 | @{
 5 |     ViewData["Title"] = "Log in";
 6 | }
 7 | 
 8 | <h1>@ViewData["Title"]</h1>
 9 | <div class="row">
10 |     <div class="col-md-4">
11 |         <section>
12 |             <form id="account" method="post">
13 |                 <h3>Use a local account to log in.</h3>
14 |                 <hr />
15 |                 <div asp-validation-summary="ModelOnly" class="text-danger"></div>
16 | 
17 |                 <div class="mb-3">
18 |                     <label asp-for="Input.Email" class="form-label"></label>
19 |                     <input asp-for="Input.Email" class="form-control" autocomplete="username" aria-required="true" aria-describedby="emailHelp" />
20 |                     <div id="emailHelp" class="form-text">We'll never share your email with anyone else.</div>
21 |                     <span asp-validation-for="Input.Email" class="text-danger"></span>
22 |                 </div>
23 |                 <div class="mb-3">
24 |                     <label asp-for="Input.Password" class="form-label"></label>
25 |                     <input asp-for="Input.Password" class="form-control" autocomplete="current-password" aria-required="true" />
26 |                     <span asp-validation-for="Input.Password" class="text-danger"></span>
27 |                 </div>
28 |                 <div class="mb-3 form-check">
29 |                     <input type="checkbox" class="form-check-input" asp-for="Input.RememberMe">
30 |                     <label class="form-check-label" asp-for="Input.RememberMe">@Html.DisplayNameFor(m => m.Input.RememberMe)</label>
31 |                 </div>
32 | 
33 |                 <div>
34 |                     <button id="login-submit" type="submit" class="w-100 btn btn-lg btn-primary">Log in</button>
35 |                 </div>
36 |                 <br />
37 |                 <div>
38 |                     <p>
39 |                         <a id="forgot-password" asp-page="./ForgotPassword">Forgot your password?</a>
40 |                     </p>
41 |                     <p>
42 |                         <a asp-page="./Register" asp-route-returnUrl="@Model.ReturnUrl">Register as a new user</a>
43 |                     </p>
44 |                     <p>
45 |                         <a id="resend-confirmation" asp-page="./ResendEmailConfirmation">Resend email confirmation</a>
46 |                     </p>
47 |                 </div>
48 |             </form>
49 |         </section>
50 |     </div>
51 |     <div class="col-md-6 col-md-offset-2">
52 |         <section>
53 |             <h3>Use another service to log in.</h3>
54 |             <hr />
55 |             @{
56 |                 if ((Model.ExternalLogins?.Count ?? 0) == 0)
57 |                 {
58 |                     <div>
59 |                         <p>
60 |                             There are no external authentication services configured. See this <a href="https://go.microsoft.com/fwlink/?LinkID=532715">article
61 |                             about setting up this ASP.NET application to support logging in via external services</a>.
62 |                         </p>
63 |                     </div>
64 |                 }
65 |                 else
66 |                 {
67 |                     <form id="external-account" asp-page="./ExternalLogin" asp-route-returnUrl="@Model.ReturnUrl" method="post" class="form-horizontal">
68 |                         <div>
69 |                             <p>
70 |                                 @foreach (var provider in Model.ExternalLogins)
71 |                                 {
72 |                                     <button type="submit" class="w-100 btn btn-lg btn-primary" name="provider" value="@provider.Name" title="Log in using your @provider.DisplayName account">@provider.DisplayName</button>
73 |                                 }
74 |                             </p>
75 |                         </div>
76 |                     </form>
77 |                 }
78 |             }
79 |         </section>
80 |     </div>
81 | </div>
82 | 
83 | @section Scripts {
84 |     <script src="~/lib/jquery-validation/dist/jquery.validate.min.js"></script>
85 |     <script src="~/lib/jquery-validation-unobtrusive/dist/jquery.validate.unobtrusive.min.js"></script>
86 | }
87 | 


--------------------------------------------------------------------------------
/IdentityProvider/Areas/Identity/Pages/Account/Login.cshtml.cs:
--------------------------------------------------------------------------------
  1 | // Licensed to the .NET Foundation under one or more agreements.
  2 | // The .NET Foundation licenses this file to you under the MIT license.
  3 | #nullable disable
  4 | 
  5 | using Fido2Identity;
  6 | using Microsoft.AspNetCore.Authentication;
  7 | using Microsoft.AspNetCore.Identity;
  8 | using Microsoft.AspNetCore.Mvc;
  9 | using Microsoft.AspNetCore.Mvc.RazorPages;
 10 | using OpeniddictServer.Data;
 11 | using System.ComponentModel.DataAnnotations;
 12 | 
 13 | namespace OpeniddictServer.Areas.Identity.Pages.Account
 14 | {
 15 |     public class LoginModel : PageModel
 16 |     {
 17 |         private readonly SignInManager<ApplicationUser> _signInManager;
 18 |         private readonly Fido2Store _fido2Store;
 19 |         private readonly ILogger<LoginModel> _logger;
 20 | 
 21 |         public LoginModel(SignInManager<ApplicationUser> signInManager,
 22 |             Fido2Store fido2Store,
 23 |             ILogger<LoginModel> logger)
 24 |         {
 25 |             _signInManager = signInManager;
 26 |             _fido2Store = fido2Store;
 27 |             _logger = logger;
 28 |         }
 29 | 
 30 |         /// <summary>
 31 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
 32 |         ///     directly from your code. This API may change or be removed in future releases.
 33 |         /// </summary>
 34 |         [BindProperty]
 35 |         public InputModel Input { get; set; }
 36 | 
 37 |         /// <summary>
 38 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
 39 |         ///     directly from your code. This API may change or be removed in future releases.
 40 |         /// </summary>
 41 |         public IList<AuthenticationScheme> ExternalLogins { get; set; }
 42 | 
 43 |         /// <summary>
 44 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
 45 |         ///     directly from your code. This API may change or be removed in future releases.
 46 |         /// </summary>
 47 |         public string ReturnUrl { get; set; }
 48 | 
 49 |         /// <summary>
 50 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
 51 |         ///     directly from your code. This API may change or be removed in future releases.
 52 |         /// </summary>
 53 |         [TempData]
 54 |         public string ErrorMessage { get; set; }
 55 | 
 56 |         /// <summary>
 57 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
 58 |         ///     directly from your code. This API may change or be removed in future releases.
 59 |         /// </summary>
 60 |         public class InputModel
 61 |         {
 62 |             /// <summary>
 63 |             ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
 64 |             ///     directly from your code. This API may change or be removed in future releases.
 65 |             /// </summary>
 66 |             [Required]
 67 |             [EmailAddress]
 68 |             public string Email { get; set; }
 69 | 
 70 |             /// <summary>
 71 |             ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
 72 |             ///     directly from your code. This API may change or be removed in future releases.
 73 |             /// </summary>
 74 |             [Required]
 75 |             [DataType(DataType.Password)]
 76 |             public string Password { get; set; }
 77 | 
 78 |             /// <summary>
 79 |             ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
 80 |             ///     directly from your code. This API may change or be removed in future releases.
 81 |             /// </summary>
 82 |             [Display(Name = "Remember me?")]
 83 |             public bool RememberMe { get; set; }
 84 |         }
 85 | 
 86 |         public async Task OnGetAsync(string returnUrl = null)
 87 |         {
 88 |             if (!string.IsNullOrEmpty(ErrorMessage))
 89 |             {
 90 |                 ModelState.AddModelError(string.Empty, ErrorMessage);
 91 |             }
 92 | 
 93 |             returnUrl ??= Url.Content("~/");
 94 | 
 95 |             // Clear the existing external cookie to ensure a clean login process
 96 |             await HttpContext.SignOutAsync(IdentityConstants.ExternalScheme);
 97 | 
 98 |             ExternalLogins = (await _signInManager.GetExternalAuthenticationSchemesAsync()).ToList();
 99 | 
100 |             ReturnUrl = returnUrl;
101 |         }
102 | 
103 |         public async Task<IActionResult> OnPostAsync(string returnUrl = null)
104 |         {
105 |             returnUrl ??= Url.Content("~/");
106 | 
107 |             ExternalLogins = (await _signInManager.GetExternalAuthenticationSchemesAsync()).ToList();
108 | 
109 |             if (ModelState.IsValid)
110 |             {
111 |                 // This doesn't count login failures towards account lockout
112 |                 // To enable password failures to trigger account lockout, set lockoutOnFailure: true
113 |                 var result = await _signInManager.PasswordSignInAsync(Input.Email, Input.Password, Input.RememberMe, lockoutOnFailure: false);
114 |                 if (result.Succeeded)
115 |                 {
116 |                     _logger.LogInformation("User logged in.");
117 |                     return LocalRedirect(returnUrl);
118 |                 }
119 |                 if (result.RequiresTwoFactor)
120 |                 {
121 |                     var fido2ItemExistsForUser = await _fido2Store.GetCredentialsByUserNameAsync(Input.Email);
122 |                     if (fido2ItemExistsForUser.Count > 0)
123 |                     {
124 |                         return RedirectToPage("./LoginFido2Mfa", new { ReturnUrl = returnUrl, Input.RememberMe });
125 |                     }
126 | 
127 |                     return RedirectToPage("./LoginWith2fa", new { ReturnUrl = returnUrl, RememberMe = Input.RememberMe });
128 |                 }
129 |                 if (result.IsLockedOut)
130 |                 {
131 |                     _logger.LogWarning("User account locked out.");
132 |                     return RedirectToPage("./Lockout");
133 |                 }
134 |                 else
135 |                 {
136 |                     ModelState.AddModelError(string.Empty, "Invalid login attempt.");
137 |                     return Page();
138 |                 }
139 |             }
140 | 
141 |             // If we got this far, something failed, redisplay form
142 |             return Page();
143 |         }
144 |     }
145 | }
146 | 


--------------------------------------------------------------------------------
/IdentityProvider/Areas/Identity/Pages/Account/LoginFido2Mfa.cshtml:
--------------------------------------------------------------------------------
 1 | @page
 2 | 
 3 | @using Microsoft.AspNetCore.Identity
 4 | @inject SignInManager<ApplicationUser> SignInManager
 5 | @inject UserManager<ApplicationUser> UserManager
 6 | @inject Microsoft.AspNetCore.Antiforgery.IAntiforgery Xsrf
 7 | @functions{
 8 |     public string? GetAntiXsrfRequestToken()
 9 |     {
10 |         return Xsrf.GetAndStoreTokens(this.HttpContext).RequestToken;
11 |     }
12 | }
13 | @model OpeniddictServer.Areas.Identity.Pages.Account.MfaModel
14 | @{
15 |     ViewData["Title"] = "Login with Fido2 MFA";
16 | }
17 | 
18 | <h4>@ViewData["Title"]</h4>
19 | <div class="section">
20 |     <div class="container">
21 |         <h1 class="title is-1">2FA/MFA</h1>
22 |         <div class="content"><p>This is scenario where we just want to use FIDO as the MFA. The user register and logins with their username and password. For demo purposes, we trigger the MFA registering on sign up.</p></div>
23 |         <div class="notification is-danger" style="display:none">
24 |             Please note: Your browser does not seem to support WebAuthn yet. <a href="https://caniuse.com/#search=webauthn" target="_blank">Supported browsers</a>
25 |         </div>
26 | 
27 |         <div class="columns">
28 |             <div class="column is-4">
29 | 
30 |                 <h3 class="title is-3">Fido2 2FA</h3>
31 |                 <form action="/LoginFido2Mfa" method="post" id="signin">
32 |                     <input type="hidden" id="RequestVerificationToken" name="RequestVerificationToken" value="@GetAntiXsrfRequestToken()">
33 |                     <div class="field">
34 |                         <div class="control">
35 |                             <button class="btn btn-primary">2FA with FIDO2 device</button>
36 |                         </div>
37 |                     </div>
38 |                 </form>
39 |             </div>
40 |         </div>
41 | 
42 |         <div id="fido2logindisplay"></div>
43 | 
44 |     </div>
45 | </div>
46 | 
47 | <div style="display:none" id="fido2TapKeyToLogin">FIDO2_TAP_YOUR_SECURITY_KEY_TO_LOGIN</div>
48 | <div style="display:none" id="fido2CouldNotVerifyAssertion">FIDO2_COULD_NOT_VERIFY_ASSERTION</div>
49 | <div style="display:none" id="fido2ReturnUrl">@Model.ReturnUrl</div>
50 | 
51 | 
52 | <script src="~/js/helpers.js"></script>
53 | <script src="~/js/instant.js"></script>
54 | <script src="~/js/mfa.login.js"></script>


--------------------------------------------------------------------------------
/IdentityProvider/Areas/Identity/Pages/Account/LoginFido2Mfa.cshtml.cs:
--------------------------------------------------------------------------------
 1 | using Microsoft.AspNetCore.Authorization;
 2 | using Microsoft.AspNetCore.Mvc;
 3 | using Microsoft.AspNetCore.Mvc.RazorPages;
 4 | 
 5 | namespace OpeniddictServer.Areas.Identity.Pages.Account;
 6 | 
 7 | [AllowAnonymous]
 8 | public class MfaModel : PageModel
 9 | {
10 |     [BindProperty(SupportsGet = true)]
11 |     public bool RememberMe { get; set; }
12 | 
13 |     [BindProperty(SupportsGet = true)]
14 |     public string? ReturnUrl { get; set; } = string.Empty;
15 | 
16 |     public void OnGet()
17 |     {
18 |     }
19 | 
20 |     public void OnPost()
21 |     {
22 |     }
23 | }
24 | 


--------------------------------------------------------------------------------
/IdentityProvider/Areas/Identity/Pages/Account/Manage/Disable2fa.cshtml:
--------------------------------------------------------------------------------
 1 | @page
 2 | @model Disable2faModel
 3 | @{
 4 |     ViewData["Title"] = "Disable two-factor authentication (2FA)";
 5 |     ViewData["ActivePage"] = ManageNavPages.TwoFactorAuthentication;
 6 | }
 7 | 
 8 | <partial name="_StatusMessage" for="StatusMessage" />
 9 | <h3>@ViewData["Title"]</h3>
10 | 
11 | <div class="alert alert-warning" role="alert">
12 |     <p>
13 |         <strong>This action only disables 2FA.</strong>
14 |     </p>
15 |     <p>
16 |         Disabling 2FA does not change the keys used in authenticator apps. If you wish to change the key
17 |         used in an authenticator app you should <a asp-page="./ResetAuthenticator">reset your authenticator keys.</a>
18 |     </p>
19 | </div>
20 | 
21 | <div>
22 |     <form method="post">
23 |         <button class="btn btn-danger" type="submit">Disable 2FA</button>
24 |     </form>
25 | </div>
26 | 


--------------------------------------------------------------------------------
/IdentityProvider/Areas/Identity/Pages/Account/Manage/Disable2fa.cshtml.cs:
--------------------------------------------------------------------------------
 1 | // Licensed to the .NET Foundation under one or more agreements.
 2 | // The .NET Foundation licenses this file to you under the MIT license.
 3 | #nullable disable
 4 | 
 5 | using Fido2Identity;
 6 | using Microsoft.AspNetCore.Identity;
 7 | using Microsoft.AspNetCore.Mvc;
 8 | using Microsoft.AspNetCore.Mvc.RazorPages;
 9 | using OpeniddictServer.Data;
10 | 
11 | namespace OpeniddictServer.Areas.Identity.Pages.Account.Manage
12 | {
13 |     public class Disable2faModel : PageModel
14 |     {
15 |         private readonly UserManager<ApplicationUser> _userManager;
16 |         private readonly ILogger<Disable2faModel> _logger;
17 |         private readonly Fido2Store _fido2Store;
18 | 
19 |         public Disable2faModel(
20 |             UserManager<ApplicationUser> userManager,
21 |             Fido2Store fido2Store,
22 |             ILogger<Disable2faModel> logger)
23 |         {
24 |             _userManager = userManager;
25 |             _fido2Store = fido2Store;
26 |             _logger = logger;
27 |         }
28 | 
29 |         /// <summary>
30 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
31 |         ///     directly from your code. This API may change or be removed in future releases.
32 |         /// </summary>
33 |         [TempData]
34 |         public string StatusMessage { get; set; }
35 | 
36 |         public async Task<IActionResult> OnGet()
37 |         {
38 |             var user = await _userManager.GetUserAsync(User);
39 |             if (user == null)
40 |             {
41 |                 return NotFound($"Unable to load user with ID '{_userManager.GetUserId(User)}'.");
42 |             }
43 | 
44 |             if (!await _userManager.GetTwoFactorEnabledAsync(user))
45 |             {
46 |                 throw new InvalidOperationException($"Cannot disable 2FA for user as it's not currently enabled.");
47 |             }
48 | 
49 |             return Page();
50 |         }
51 | 
52 |         public async Task<IActionResult> OnPostAsync()
53 |         {
54 |             var user = await _userManager.GetUserAsync(User);
55 |             if (user == null)
56 |             {
57 |                 return NotFound($"Unable to load user with ID '{_userManager.GetUserId(User)}'.");
58 |             }
59 | 
60 |             // remove Fido2 MFA if it exists
61 |             await _fido2Store.RemoveCredentialsByUserNameAsync(user.UserName);
62 | 
63 |             var disable2faResult = await _userManager.SetTwoFactorEnabledAsync(user, false);
64 |             if (!disable2faResult.Succeeded)
65 |             {
66 |                 throw new InvalidOperationException($"Unexpected error occurred disabling 2FA.");
67 |             }
68 | 
69 |             _logger.LogInformation("User with ID '{UserId}' has disabled 2fa.", _userManager.GetUserId(User));
70 |             StatusMessage = "2fa has been disabled. You can reenable 2fa when you setup an authenticator app";
71 |             return RedirectToPage("./TwoFactorAuthentication");
72 |         }
73 |     }
74 | }
75 | 


--------------------------------------------------------------------------------
/IdentityProvider/Areas/Identity/Pages/Account/Manage/Fido2Mfa.cshtml:
--------------------------------------------------------------------------------
 1 | @page "/Fido2Mfa/{handler?}"
 2 | @using Microsoft.AspNetCore.Identity
 3 | @inject SignInManager<ApplicationUser> SignInManager
 4 | @inject UserManager<ApplicationUser> UserManager
 5 | @inject Microsoft.AspNetCore.Antiforgery.IAntiforgery Xsrf
 6 | @functions{
 7 |     public string? GetAntiXsrfRequestToken()
 8 |     {
 9 |         return Xsrf.GetAndStoreTokens(this.HttpContext).RequestToken;
10 |     }
11 | }
12 | @model OpeniddictServer.Areas.Identity.Pages.Account.Manage.MfaModel
13 | @{
14 |     Layout = "_Layout.cshtml";
15 |     ViewData["Title"] = "Two-factor authentication (2FA)";
16 |     ViewData["ActivePage"] = ManageNavPages.Fido2Mfa;
17 | }
18 | 
19 | <h4>@ViewData["Title"]</h4>
20 | <div class="section">
21 |     <div class="container">
22 |         <h1 class="title is-1">2FA/MFA</h1>
23 |         <div class="content"><p>This is scenario where we just want to use FIDO as the MFA. The user register and logins with their username and password. For demo purposes, we trigger the MFA registering on sign up.</p></div>
24 |         <div class="notification is-danger" style="display:none">
25 |             Please note: Your browser does not seem to support WebAuthn yet. <a href="https://caniuse.com/#search=webauthn" target="_blank">Supported browsers</a>
26 |         </div>
27 | 
28 |         <div class="columns">
29 |             <div class="column is-4">
30 | 
31 |                 <h3 class="title is-3">Add a Fido2 MFA</h3>
32 |                 <form action="/Fido2Mfa" method="post" id="register">
33 |                     <input type="hidden" id="RequestVerificationToken" name="RequestVerificationToken" value="@GetAntiXsrfRequestToken()">
34 |                     <div class="field">
35 |                         <label class="label">Username</label>
36 |                         <div class="control has-icons-left has-icons-right">
37 |                             <input class="form-control" type="text" readonly placeholder="email" value="@User.Identity?.Name" name="username" required>
38 |                         </div>
39 |                     </div>
40 | 
41 |                     <div class="field" style="margin-top:10px;">
42 |                         <div class="control">
43 |                             <button class="btn btn-primary">Add FIDO2 MFA</button>
44 |                         </div>
45 |                     </div>
46 |                 </form>
47 |             </div>
48 |         </div>
49 | 
50 | 
51 |         <div id="fido2mfadisplay"></div>
52 | 
53 |     </div>
54 | </div>
55 | 
56 | 
57 | <div style="display:none" id="fido2TapYourSecurityKeyToFinishRegistration">FIDO2_TAP_YOUR_SECURITY_KEY_TO_FINISH_REGISTRATION</div>
58 | <div style="display:none" id="fido2RegistrationError">FIDO2_REGISTRATION_ERROR</div>
59 | 
60 | <script src="~/js/helpers.js"></script>
61 | <script src="~/js/instant.js"></script>
62 | <script src="~/js/mfa.register.js"></script>


--------------------------------------------------------------------------------
/IdentityProvider/Areas/Identity/Pages/Account/Manage/Fido2Mfa.cshtml.cs:
--------------------------------------------------------------------------------
 1 | using Microsoft.AspNetCore.Mvc.RazorPages;
 2 | 
 3 | namespace OpeniddictServer.Areas.Identity.Pages.Account.Manage;
 4 | 
 5 | public class MfaModel : PageModel
 6 | {
 7 |     public void OnGet()
 8 |     {
 9 |     }
10 | 
11 |     public void OnPost()
12 |     {
13 |     }
14 | }
15 | 


--------------------------------------------------------------------------------
/IdentityProvider/Areas/Identity/Pages/Account/Manage/ManageNavPages.cs:
--------------------------------------------------------------------------------
  1 | // Licensed to the .NET Foundation under one or more agreements.
  2 | // The .NET Foundation licenses this file to you under the MIT license.
  3 | #nullable disable
  4 | 
  5 | using Microsoft.AspNetCore.Mvc.Rendering;
  6 | 
  7 | namespace OpeniddictServer.Areas.Identity.Pages.Account.Manage
  8 | {
  9 |     /// <summary>
 10 |     ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
 11 |     ///     directly from your code. This API may change or be removed in future releases.
 12 |     /// </summary>
 13 |     public static class ManageNavPages
 14 |     {
 15 |         /// <summary>
 16 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
 17 |         ///     directly from your code. This API may change or be removed in future releases.
 18 |         /// </summary>
 19 |         public static string Index => "Index";
 20 | 
 21 |         /// <summary>
 22 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
 23 |         ///     directly from your code. This API may change or be removed in future releases.
 24 |         /// </summary>
 25 |         public static string Email => "Email";
 26 | 
 27 |         /// <summary>
 28 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
 29 |         ///     directly from your code. This API may change or be removed in future releases.
 30 |         /// </summary>
 31 |         public static string ChangePassword => "ChangePassword";
 32 | 
 33 |         /// <summary>
 34 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
 35 |         ///     directly from your code. This API may change or be removed in future releases.
 36 |         /// </summary>
 37 |         public static string DownloadPersonalData => "DownloadPersonalData";
 38 | 
 39 |         /// <summary>
 40 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
 41 |         ///     directly from your code. This API may change or be removed in future releases.
 42 |         /// </summary>
 43 |         public static string DeletePersonalData => "DeletePersonalData";
 44 | 
 45 |         /// <summary>
 46 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
 47 |         ///     directly from your code. This API may change or be removed in future releases.
 48 |         /// </summary>
 49 |         public static string ExternalLogins => "ExternalLogins";
 50 | 
 51 |         /// <summary>
 52 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
 53 |         ///     directly from your code. This API may change or be removed in future releases.
 54 |         /// </summary>
 55 |         public static string PersonalData => "PersonalData";
 56 | 
 57 |         /// <summary>
 58 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
 59 |         ///     directly from your code. This API may change or be removed in future releases.
 60 |         /// </summary>
 61 |         public static string TwoFactorAuthentication => "TwoFactorAuthentication";
 62 | 
 63 |         public static string Fido2Mfa => "Fido2Mfa";
 64 | 
 65 |         /// <summary>
 66 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
 67 |         ///     directly from your code. This API may change or be removed in future releases.
 68 |         /// </summary>
 69 |         public static string IndexNavClass(ViewContext viewContext) => PageNavClass(viewContext, Index);
 70 | 
 71 |         /// <summary>
 72 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
 73 |         ///     directly from your code. This API may change or be removed in future releases.
 74 |         /// </summary>
 75 |         public static string EmailNavClass(ViewContext viewContext) => PageNavClass(viewContext, Email);
 76 | 
 77 |         /// <summary>
 78 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
 79 |         ///     directly from your code. This API may change or be removed in future releases.
 80 |         /// </summary>
 81 |         public static string ChangePasswordNavClass(ViewContext viewContext) => PageNavClass(viewContext, ChangePassword);
 82 | 
 83 |         /// <summary>
 84 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
 85 |         ///     directly from your code. This API may change or be removed in future releases.
 86 |         /// </summary>
 87 |         public static string DownloadPersonalDataNavClass(ViewContext viewContext) => PageNavClass(viewContext, DownloadPersonalData);
 88 | 
 89 |         /// <summary>
 90 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
 91 |         ///     directly from your code. This API may change or be removed in future releases.
 92 |         /// </summary>
 93 |         public static string DeletePersonalDataNavClass(ViewContext viewContext) => PageNavClass(viewContext, DeletePersonalData);
 94 | 
 95 |         /// <summary>
 96 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
 97 |         ///     directly from your code. This API may change or be removed in future releases.
 98 |         /// </summary>
 99 |         public static string ExternalLoginsNavClass(ViewContext viewContext) => PageNavClass(viewContext, ExternalLogins);
100 | 
101 |         /// <summary>
102 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
103 |         ///     directly from your code. This API may change or be removed in future releases.
104 |         /// </summary>
105 |         public static string PersonalDataNavClass(ViewContext viewContext) => PageNavClass(viewContext, PersonalData);
106 | 
107 |         /// <summary>
108 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
109 |         ///     directly from your code. This API may change or be removed in future releases.
110 |         /// </summary>
111 |         public static string TwoFactorAuthenticationNavClass(ViewContext viewContext) => PageNavClass(viewContext, TwoFactorAuthentication);
112 | 
113 |         public static string Fido2MfaNavClass(ViewContext viewContext) => PageNavClass(viewContext, Fido2Mfa);
114 | 
115 |         /// <summary>
116 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
117 |         ///     directly from your code. This API may change or be removed in future releases.
118 |         /// </summary>
119 |         public static string PageNavClass(ViewContext viewContext, string page)
120 |         {
121 |             var activePage = viewContext.ViewData["ActivePage"] as string
122 |                 ?? System.IO.Path.GetFileNameWithoutExtension(viewContext.ActionDescriptor.DisplayName);
123 |             return string.Equals(activePage, page, StringComparison.OrdinalIgnoreCase) ? "active" : null;
124 |         }
125 |     }
126 | }
127 | 


--------------------------------------------------------------------------------
/IdentityProvider/Areas/Identity/Pages/Account/Manage/TwoFactorAuthentication.cshtml:
--------------------------------------------------------------------------------
 1 | @page
 2 | @using Microsoft.AspNetCore.Http.Features
 3 | @model TwoFactorAuthenticationModel
 4 | @{
 5 |     ViewData["Title"] = "Two-factor authentication (2FA)";
 6 |     ViewData["ActivePage"] = ManageNavPages.TwoFactorAuthentication;
 7 | }
 8 | 
 9 | <partial name="_StatusMessage" for="StatusMessage" />
10 | <h3>@ViewData["Title"]</h3>
11 | @{
12 |     var consentFeature = HttpContext.Features.Get<ITrackingConsentFeature>();
13 |     @if (consentFeature?.CanTrack ?? true)
14 |     {
15 |         @if (Model.Is2faEnabled)
16 |         {
17 |             if (Model.RecoveryCodesLeft == 0)
18 |             {
19 |                 <div class="alert alert-danger">
20 |                     <strong>You have no recovery codes left.</strong>
21 |                     <p>You must <a asp-page="./GenerateRecoveryCodes">generate a new set of recovery codes</a> before you can log in with a recovery code.</p>
22 |                 </div>
23 |             }
24 |             else if (Model.RecoveryCodesLeft == 1)
25 |             {
26 |                 <div class="alert alert-danger">
27 |                     <strong>You have 1 recovery code left.</strong>
28 |                     <p>You can <a asp-page="./GenerateRecoveryCodes">generate a new set of recovery codes</a>.</p>
29 |                 </div>
30 |             }
31 |             else if (Model.RecoveryCodesLeft <= 3)
32 |             {
33 |                 <div class="alert alert-warning">
34 |                     <strong>You have @Model.RecoveryCodesLeft recovery codes left.</strong>
35 |                     <p>You should <a asp-page="./GenerateRecoveryCodes">generate a new set of recovery codes</a>.</p>
36 |                 </div>
37 |             }
38 | 
39 |             if (Model.IsMachineRemembered)
40 |             {
41 |                 <form method="post" style="display: inline-block">
42 |                     <button type="submit" class="btn btn-primary">Forget this browser</button>
43 |                 </form>
44 |             }
45 |             <a asp-page="./Disable2fa" class="btn btn-primary">Disable 2FA</a>
46 |             <a asp-page="./GenerateRecoveryCodes" class="btn btn-primary">Reset recovery codes</a>
47 |         }
48 | 
49 |         <h4>Authenticator app</h4>
50 |         @if (!Model.HasAuthenticator)
51 |         {
52 |             <a id="enable-authenticator" asp-page="./EnableAuthenticator" class="btn btn-primary">Add authenticator app</a>
53 |         }
54 |         else
55 |         {
56 |             <a id="enable-authenticator" asp-page="./EnableAuthenticator" class="btn btn-primary">Set up authenticator app</a>
57 |             <a id="reset-authenticator" asp-page="./ResetAuthenticator" class="btn btn-primary">Reset authenticator app</a>
58 |         }
59 |     }
60 |     else
61 |     {
62 |         <div class="alert alert-danger">
63 |             <strong>Privacy and cookie policy have not been accepted.</strong>
64 |             <p>You must accept the policy before you can enable two factor authentication.</p>
65 |         </div>
66 |     }
67 | }
68 | 
69 | <a id="enable-fido2mfa" asp-page="./Fido2Mfa" class="btn btn-primary">Add Fido2 MFA</a>
70 | 
71 | @section Scripts {
72 |     <script src="~/lib/jquery-validation/dist/jquery.validate.min.js"></script>
73 |     <script src="~/lib/jquery-validation-unobtrusive/dist/jquery.validate.unobtrusive.min.js"></script>
74 | }
75 | 


--------------------------------------------------------------------------------
/IdentityProvider/Areas/Identity/Pages/Account/Manage/TwoFactorAuthentication.cshtml.cs:
--------------------------------------------------------------------------------
 1 | // Licensed to the .NET Foundation under one or more agreements.
 2 | // The .NET Foundation licenses this file to you under the MIT license.
 3 | #nullable disable
 4 | 
 5 | using Microsoft.AspNetCore.Identity;
 6 | using Microsoft.AspNetCore.Mvc;
 7 | using Microsoft.AspNetCore.Mvc.RazorPages;
 8 | using OpeniddictServer.Data;
 9 | 
10 | namespace OpeniddictServer.Areas.Identity.Pages.Account.Manage
11 | {
12 |     public class TwoFactorAuthenticationModel : PageModel
13 |     {
14 |         private readonly UserManager<ApplicationUser> _userManager;
15 |         private readonly SignInManager<ApplicationUser> _signInManager;
16 | 
17 |         public TwoFactorAuthenticationModel(
18 |             UserManager<ApplicationUser> userManager, SignInManager<ApplicationUser> signInManager)
19 |         {
20 |             _userManager = userManager;
21 |             _signInManager = signInManager;
22 |         }
23 | 
24 |         /// <summary>
25 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
26 |         ///     directly from your code. This API may change or be removed in future releases.
27 |         /// </summary>
28 |         public bool HasAuthenticator { get; set; }
29 | 
30 |         /// <summary>
31 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
32 |         ///     directly from your code. This API may change or be removed in future releases.
33 |         /// </summary>
34 |         public int RecoveryCodesLeft { get; set; }
35 | 
36 |         /// <summary>
37 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
38 |         ///     directly from your code. This API may change or be removed in future releases.
39 |         /// </summary>
40 |         [BindProperty]
41 |         public bool Is2faEnabled { get; set; }
42 | 
43 |         /// <summary>
44 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
45 |         ///     directly from your code. This API may change or be removed in future releases.
46 |         /// </summary>
47 |         public bool IsMachineRemembered { get; set; }
48 | 
49 |         /// <summary>
50 |         ///     This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used
51 |         ///     directly from your code. This API may change or be removed in future releases.
52 |         /// </summary>
53 |         [TempData]
54 |         public string StatusMessage { get; set; }
55 | 
56 |         public async Task<IActionResult> OnGetAsync()
57 |         {
58 |             var user = await _userManager.GetUserAsync(User);
59 |             if (user == null)
60 |             {
61 |                 return NotFound($"Unable to load user with ID '{_userManager.GetUserId(User)}'.");
62 |             }
63 | 
64 |             HasAuthenticator = await _userManager.GetAuthenticatorKeyAsync(user) != null;
65 |             Is2faEnabled = await _userManager.GetTwoFactorEnabledAsync(user);
66 |             IsMachineRemembered = await _signInManager.IsTwoFactorClientRememberedAsync(user);
67 |             RecoveryCodesLeft = await _userManager.CountRecoveryCodesAsync(user);
68 | 
69 |             return Page();
70 |         }
71 | 
72 |         public async Task<IActionResult> OnPostAsync()
73 |         {
74 |             var user = await _userManager.GetUserAsync(User);
75 |             if (user == null)
76 |             {
77 |                 return NotFound($"Unable to load user with ID '{_userManager.GetUserId(User)}'.");
78 |             }
79 | 
80 |             await _signInManager.ForgetTwoFactorClientAsync();
81 |             StatusMessage = "The current browser has been forgotten. When you login again from this browser you will be prompted for your 2fa code.";
82 |             return RedirectToPage();
83 |         }
84 |     }
85 | }
86 | 


--------------------------------------------------------------------------------
/IdentityProvider/Areas/Identity/Pages/Account/Manage/_ManageNav.cshtml:
--------------------------------------------------------------------------------
 1 | @inject SignInManager<ApplicationUser> SignInManager
 2 | @{
 3 |     var hasExternalLogins = (await SignInManager.GetExternalAuthenticationSchemesAsync()).Any();
 4 | }
 5 | <ul class="nav nav-pills flex-column">
 6 |     <li class="nav-item"><a class="nav-link @ManageNavPages.IndexNavClass(ViewContext)" id="profile" asp-page="./Index">Profile</a></li>
 7 |     <li class="nav-item"><a class="nav-link @ManageNavPages.EmailNavClass(ViewContext)" id="email" asp-page="./Email">Email</a></li>
 8 |     <li class="nav-item"><a class="nav-link @ManageNavPages.ChangePasswordNavClass(ViewContext)" id="change-password" asp-page="./ChangePassword">Password</a></li>
 9 |     @if (hasExternalLogins)
10 |     {
11 |         <li id="external-logins" class="nav-item"><a id="external-login" class="nav-link @ManageNavPages.ExternalLoginsNavClass(ViewContext)" asp-page="./ExternalLogins">External logins</a></li>
12 |     }
13 |     <li class="nav-item"><a class="nav-link @ManageNavPages.TwoFactorAuthenticationNavClass(ViewContext)" id="two-factor" asp-page="./TwoFactorAuthentication">Two-factor authentication</a></li>
14 |     <li class="nav-item"><a class="nav-link @ManageNavPages.PersonalDataNavClass(ViewContext)" id="personal-data" asp-page="./PersonalData">Personal data</a></li>
15 | </ul>
16 | 


--------------------------------------------------------------------------------
/IdentityProvider/Areas/Identity/Pages/Account/Manage/_ViewImports.cshtml:
--------------------------------------------------------------------------------
1 | @using OpeniddictServer.Areas.Identity.Pages.Account.Manage
2 | 


--------------------------------------------------------------------------------
/IdentityProvider/Areas/Identity/Pages/Account/_ViewImports.cshtml:
--------------------------------------------------------------------------------
1 | @using OpeniddictServer.Areas.Identity.Pages.Account


--------------------------------------------------------------------------------
/IdentityProvider/Areas/Identity/Pages/_ValidationScriptsPartial.cshtml:
--------------------------------------------------------------------------------
 1 | <environment include="Development">
 2 |     <script src="~/Identity/lib/jquery-validation/dist/jquery.validate.js"></script>
 3 |     <script src="~/Identity/lib/jquery-validation-unobtrusive/dist/jquery.validate.unobtrusive.js"></script>
 4 | </environment>
 5 | <environment exclude="Development">
 6 |     <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-validate/1.17.0/jquery.validate.min.js"
 7 |             asp-fallback-src="~/Identity/lib/jquery-validation/dist/jquery.validate.min.js"
 8 |             asp-fallback-test="window.jQuery && window.jQuery.validator"
 9 |             crossorigin="anonymous"
10 |             integrity="sha384-rZfj/ogBloos6wzLGpPkkOr/gpkBNLZ6b6yLy4o+ok+t/SAKlL5mvXLr0OXNi1Hp">
11 |     </script>
12 |     <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery-validation-unobtrusive/3.2.11/jquery.validate.unobtrusive.min.js"
13 |             asp-fallback-src="~/Identity/lib/jquery-validation-unobtrusive/dist/jquery.validate.unobtrusive.min.js"
14 |             asp-fallback-test="window.jQuery && window.jQuery.validator && window.jQuery.validator.unobtrusive"
15 |             crossorigin="anonymous"
16 |             integrity="sha384-R3vNCHsZ+A2Lo3d5A6XNP7fdQkeswQWTIPfiYwSpEP3YV079R+93YzTeZRah7f/F">
17 |     </script>
18 | </environment>
19 | 


--------------------------------------------------------------------------------
/IdentityProvider/Areas/Identity/Pages/_ViewImports.cshtml:
--------------------------------------------------------------------------------
1 | @using Microsoft.AspNetCore.Identity
2 | @using OpeniddictServer.Areas.Identity
3 | @using OpeniddictServer.Areas.Identity.Pages
4 | @addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers
5 | @using OpeniddictServer.Data
6 | 


--------------------------------------------------------------------------------
/IdentityProvider/Areas/Identity/Pages/_ViewStart.cshtml:
--------------------------------------------------------------------------------
1 | 
2 | @{
3 |     Layout = "/Views/Shared/_Layout.cshtml";
4 | }
5 | 


--------------------------------------------------------------------------------
/IdentityProvider/Controllers/ErrorController.cs:
--------------------------------------------------------------------------------
 1 | /*
 2 |  * Licensed under the Apache License, Version 2.0 (http://www.apache.org/licenses/LICENSE-2.0)
 3 |  * See https://github.com/openiddict/openiddict-core for more information concerning
 4 |  * the license and the contributors participating to this project.
 5 |  */
 6 | 
 7 | using Microsoft.AspNetCore;
 8 | using Microsoft.AspNetCore.Mvc;
 9 | using OpeniddictServer.ViewModels.Shared;
10 | 
11 | namespace OpeniddictServer.Controllers;
12 | 
13 | public class ErrorController : Controller
14 | {
15 |     [Route("error")]
16 |     [ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
17 |     public IActionResult Error()
18 |     {
19 |         // If the error was not caused by an invalid
20 |         // OIDC request, display a generic error page.
21 |         var response = HttpContext.GetOpenIddictServerResponse();
22 |         if (response == null)
23 |         {
24 |             return View(new ErrorViewModel());
25 |         }
26 | 
27 |         return View(new ErrorViewModel
28 |         {
29 |             Error = response.Error,
30 |             ErrorDescription = response.ErrorDescription
31 |         });
32 |     }
33 | }
34 | 


--------------------------------------------------------------------------------
/IdentityProvider/Controllers/HomeController.cs:
--------------------------------------------------------------------------------
 1 | using Microsoft.AspNetCore.Mvc;
 2 | 
 3 | namespace OpeniddictServer.Controllers;
 4 | 
 5 | public class HomeController : Controller
 6 | {
 7 |     private readonly ILogger<HomeController> _logger;
 8 | 
 9 |     public HomeController(ILogger<HomeController> logger)
10 |     {
11 |         _logger = logger;
12 |     }
13 | 
14 |     public IActionResult Index()
15 |     {
16 |         return View();
17 |     }
18 | 
19 |     public IActionResult Privacy()
20 |     {
21 |         return View();
22 |     }
23 | 
24 |     public IActionResult Error()
25 |     {
26 |         return View();
27 |     }
28 | }
29 | 


--------------------------------------------------------------------------------
/IdentityProvider/Controllers/ResourceController.cs:
--------------------------------------------------------------------------------
 1 | using Microsoft.AspNetCore.Authorization;
 2 | using Microsoft.AspNetCore.Identity;
 3 | using Microsoft.AspNetCore.Mvc;
 4 | using OpenIddict.Validation.AspNetCore;
 5 | using OpeniddictServer.Data;
 6 | 
 7 | namespace OpeniddictServer.Controllers;
 8 | 
 9 | [Route("api")]
10 | public class ResourceController : Controller
11 | {
12 |     private readonly UserManager<ApplicationUser> _userManager;
13 | 
14 |     public ResourceController(UserManager<ApplicationUser> userManager)
15 |         => _userManager = userManager;
16 | 
17 |     [Authorize(AuthenticationSchemes = OpenIddictValidationAspNetCoreDefaults.AuthenticationScheme)]
18 |     [HttpGet("message")]
19 |     public async Task<IActionResult> GetMessage()
20 |     {
21 |         var user = await _userManager.GetUserAsync(User);
22 |         if (user == null)
23 |         {
24 |             return BadRequest();
25 |         }
26 | 
27 |         return Content($"{user.UserName} has been successfully authenticated.");
28 |     }
29 | }
30 | 


--------------------------------------------------------------------------------
/IdentityProvider/Controllers/UserinfoController.cs:
--------------------------------------------------------------------------------
 1 | using Microsoft.AspNetCore.Authentication;
 2 | using Microsoft.AspNetCore.Authorization;
 3 | using Microsoft.AspNetCore.Identity;
 4 | using Microsoft.AspNetCore.Mvc;
 5 | using OpenIddict.Abstractions;
 6 | using OpenIddict.Server.AspNetCore;
 7 | using OpeniddictServer.Data;
 8 | using static OpenIddict.Abstractions.OpenIddictConstants;
 9 | 
10 | namespace OpeniddictServer.Controllers;
11 | 
12 | public class UserinfoController : Controller
13 | {
14 |     private readonly UserManager<ApplicationUser> _userManager;
15 | 
16 |     public UserinfoController(UserManager<ApplicationUser> userManager)
17 |         => _userManager = userManager;
18 | 
19 |     //
20 |     // GET: /api/userinfo
21 |     [Authorize(AuthenticationSchemes = OpenIddictServerAspNetCoreDefaults.AuthenticationScheme)]
22 |     [HttpGet("~/connect/userinfo"), HttpPost("~/connect/userinfo"), Produces("application/json")]
23 |     public async Task<IActionResult> Userinfo()
24 |     {
25 |         var user = await _userManager.GetUserAsync(User);
26 |         if (user == null)
27 |         {
28 |             return Challenge(
29 |                 authenticationSchemes: OpenIddictServerAspNetCoreDefaults.AuthenticationScheme,
30 |                 properties: new AuthenticationProperties(new Dictionary<string, string>
31 |                 {
32 |                     [OpenIddictServerAspNetCoreConstants.Properties.Error] = Errors.InvalidToken,
33 |                     [OpenIddictServerAspNetCoreConstants.Properties.ErrorDescription] =
34 |                         "The specified access token is bound to an account that no longer exists."
35 |                 }));
36 |         }
37 | 
38 |         var claims = new Dictionary<string, object>(StringComparer.Ordinal)
39 |         {
40 |             // Note: the "sub" claim is a mandatory claim and must be included in the JSON response.
41 |             [Claims.Subject] = await _userManager.GetUserIdAsync(user)
42 |         };
43 | 
44 |         if (User.HasScope(Scopes.Email))
45 |         {
46 |             claims[Claims.Email] = await _userManager.GetEmailAsync(user);
47 |             claims[Claims.EmailVerified] = await _userManager.IsEmailConfirmedAsync(user);
48 |         }
49 | 
50 |         if (User.HasScope(Scopes.Phone))
51 |         {
52 |             claims[Claims.PhoneNumber] = await _userManager.GetPhoneNumberAsync(user);
53 |             claims[Claims.PhoneNumberVerified] = await _userManager.IsPhoneNumberConfirmedAsync(user);
54 |         }
55 | 
56 |         if (User.HasScope(Scopes.Roles))
57 |         {
58 |             claims[Claims.Role] = await _userManager.GetRolesAsync(user);
59 |         }
60 | 
61 |         // Note: the complete list of standard claims supported by the OpenID Connect specification
62 |         // can be found here: http://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
63 | 
64 |         return Ok(claims);
65 |     }
66 | }
67 | 


--------------------------------------------------------------------------------
/IdentityProvider/Data/ApplicationDbContext.cs:
--------------------------------------------------------------------------------
 1 | using Fido2Identity;
 2 | using Microsoft.AspNetCore.Identity.EntityFrameworkCore;
 3 | using Microsoft.EntityFrameworkCore;
 4 | 
 5 | namespace OpeniddictServer.Data;
 6 | 
 7 | public class ApplicationDbContext : IdentityDbContext<ApplicationUser>
 8 | {
 9 |     public ApplicationDbContext(DbContextOptions<ApplicationDbContext> options)
10 |         : base(options)
11 |     {
12 |     }
13 | 
14 |     public DbSet<FidoStoredCredential> FidoStoredCredential => Set<FidoStoredCredential>();
15 | 
16 |     protected override void OnModelCreating(ModelBuilder builder)
17 |     {
18 |         builder.Entity<FidoStoredCredential>().HasKey(m => m.Id);
19 | 
20 |         base.OnModelCreating(builder);
21 |     }
22 | }


--------------------------------------------------------------------------------
/IdentityProvider/Data/ApplicationUser.cs:
--------------------------------------------------------------------------------
1 | using Microsoft.AspNetCore.Identity;
2 | 
3 | namespace OpeniddictServer.Data;
4 | 
5 | // Add profile data for application users by adding properties to the ApplicationUser class
6 | public class ApplicationUser : IdentityUser { }
7 | 


--------------------------------------------------------------------------------
/IdentityProvider/Fido2/Fido2Store.cs:
--------------------------------------------------------------------------------
  1 | using Fido2NetLib;
  2 | using Microsoft.EntityFrameworkCore;
  3 | using OpeniddictServer.Data;
  4 | using System.Text;
  5 | 
  6 | namespace Fido2Identity;
  7 | 
  8 | public class Fido2Store
  9 | {
 10 |     private readonly ApplicationDbContext _applicationDbContext;
 11 | 
 12 |     public Fido2Store(ApplicationDbContext applicationDbContext)
 13 |     {
 14 |         _applicationDbContext = applicationDbContext;
 15 |     }
 16 | 
 17 |     public async Task<ICollection<FidoStoredCredential>> GetCredentialsByUserNameAsync(string username)
 18 |     {
 19 |         return await _applicationDbContext.FidoStoredCredential.Where(c => c.UserName == username).ToListAsync();
 20 |     }
 21 | 
 22 |     public async Task RemoveCredentialsByUserNameAsync(string username)
 23 |     {
 24 |         var items = await _applicationDbContext.FidoStoredCredential.Where(c => c.UserName == username).ToListAsync();
 25 |         if (items != null)
 26 |         {
 27 |             foreach (var fido2Key in items)
 28 |             {
 29 |                 _applicationDbContext.FidoStoredCredential.Remove(fido2Key);
 30 |             }
 31 |             ;
 32 | 
 33 |             await _applicationDbContext.SaveChangesAsync();
 34 |         }
 35 |     }
 36 | 
 37 |     public async Task<FidoStoredCredential?> GetCredentialByIdAsync(byte[] id)
 38 |     {
 39 |         var credentialIdString = Base64Url.Encode(id);
 40 |         //byte[] credentialIdStringByte = Base64Url.Decode(credentialIdString);
 41 | 
 42 |         var cred = await _applicationDbContext.FidoStoredCredential
 43 |             .Where(c => c.DescriptorJson != null && c.DescriptorJson.Contains(credentialIdString))
 44 |             .FirstOrDefaultAsync();
 45 | 
 46 |         return cred;
 47 |     }
 48 | 
 49 |     public Task<ICollection<FidoStoredCredential>> GetCredentialsByUserHandleAsync(byte[] userHandle)
 50 |     {
 51 |         return Task.FromResult<ICollection<FidoStoredCredential>>(
 52 |             _applicationDbContext
 53 |                 .FidoStoredCredential.Where(c => c.UserHandle != null && c.UserHandle.SequenceEqual(userHandle))
 54 |                 .ToList());
 55 |     }
 56 | 
 57 |     public async Task UpdateCounterAsync(byte[] credentialId, uint counter)
 58 |     {
 59 |         var credentialIdString = Base64Url.Encode(credentialId);
 60 |         //byte[] credentialIdStringByte = Base64Url.Decode(credentialIdString);
 61 | 
 62 |         var cred = await _applicationDbContext.FidoStoredCredential
 63 |             .Where(c => c.DescriptorJson != null && c.DescriptorJson.Contains(credentialIdString)).FirstOrDefaultAsync();
 64 | 
 65 |         if (cred != null)
 66 |         {
 67 |             cred.SignatureCounter = counter;
 68 |             await _applicationDbContext.SaveChangesAsync();
 69 |         }
 70 |     }
 71 | 
 72 |     public async Task AddCredentialToUserAsync(Fido2User user, FidoStoredCredential credential)
 73 |     {
 74 |         credential.UserId = user.Id;
 75 |         _applicationDbContext.FidoStoredCredential.Add(credential);
 76 |         await _applicationDbContext.SaveChangesAsync();
 77 |     }
 78 | 
 79 |     public async Task<ICollection<Fido2User>> GetUsersByCredentialIdAsync(byte[] credentialId)
 80 |     {
 81 |         var credentialIdString = Base64Url.Encode(credentialId);
 82 |         //byte[] credentialIdStringByte = Base64Url.Decode(credentialIdString);
 83 | 
 84 |         var cred = await _applicationDbContext.FidoStoredCredential
 85 |             .Where(c => c.DescriptorJson != null && c.DescriptorJson.Contains(credentialIdString)).FirstOrDefaultAsync();
 86 | 
 87 |         if (cred == null || cred.UserId == null)
 88 |         {
 89 |             return new List<Fido2User>();
 90 |         }
 91 | 
 92 |         return await _applicationDbContext.Users
 93 |                 .Where(u => Encoding.UTF8.GetBytes(u.UserName)
 94 |                 .SequenceEqual(cred.UserId))
 95 |                 .Select(u => new Fido2User
 96 |                 {
 97 |                     DisplayName = u.UserName,
 98 |                     Name = u.UserName,
 99 |                     Id = Encoding.UTF8.GetBytes(u.UserName) // byte representation of userID is required
100 |                 }).ToListAsync();
101 |     }
102 | }
103 | 
104 | public static class Fido2Extenstions
105 | {
106 |     public static IEnumerable<T> NotNull<T>(this IEnumerable<T?> enumerable) where T : class
107 |     {
108 |         return enumerable.Where(e => e != null).Select(e => e!);
109 |     }
110 | }


--------------------------------------------------------------------------------
/IdentityProvider/Fido2/Fido2UserTwoFactorTokenProvider.cs:
--------------------------------------------------------------------------------
 1 | using Microsoft.AspNetCore.Identity;
 2 | using OpeniddictServer.Data;
 3 | 
 4 | namespace Fido2Identity;
 5 | 
 6 | public class Fido2UserTwoFactorTokenProvider : IUserTwoFactorTokenProvider<ApplicationUser>
 7 | {
 8 |     public Task<bool> CanGenerateTwoFactorTokenAsync(UserManager<ApplicationUser> manager, ApplicationUser user)
 9 |     {
10 |         return Task.FromResult(true);
11 |     }
12 | 
13 |     public Task<string> GenerateAsync(string purpose, UserManager<ApplicationUser> manager, ApplicationUser user)
14 |     {
15 |         return Task.FromResult("fido2");
16 |     }
17 | 
18 |     public Task<bool> ValidateAsync(string purpose, string token, UserManager<ApplicationUser> manager, ApplicationUser user)
19 |     {
20 |         return Task.FromResult(true);
21 |     }
22 | }


--------------------------------------------------------------------------------
/IdentityProvider/Fido2/FidoStoredCredential.cs:
--------------------------------------------------------------------------------
 1 | using Fido2NetLib.Objects;
 2 | using System.ComponentModel.DataAnnotations.Schema;
 3 | using System.Text.Json;
 4 | 
 5 | namespace Fido2Identity;
 6 | 
 7 | /// <summary>
 8 | /// Represents a WebAuthn credential.
 9 | /// </summary>
10 | public class FidoStoredCredential
11 | {
12 |     /// <summary>
13 |     /// Gets or sets the primary key for this user.
14 |     /// </summary>
15 |     [DatabaseGenerated(DatabaseGeneratedOption.Identity)]
16 |     public virtual int Id { get; set; }
17 | 
18 |     /// <summary>
19 |     /// Gets or sets the user name for this user.
20 |     /// </summary>
21 |     public virtual string? UserName { get; set; }
22 | 
23 |     public virtual byte[]? UserId { get; set; }
24 | 
25 |     /// <summary>
26 |     /// Gets or sets the public key for this user.
27 |     /// </summary>
28 |     public virtual byte[]? PublicKey { get; set; }
29 | 
30 |     /// <summary>
31 |     /// Gets or sets the user handle for this user.
32 |     /// </summary>
33 |     public virtual byte[]? UserHandle { get; set; }
34 | 
35 |     public virtual uint SignatureCounter { get; set; }
36 | 
37 |     public virtual string? CredType { get; set; }
38 | 
39 |     /// <summary>
40 |     /// Gets or sets the registration date for this user.
41 |     /// </summary>
42 |     public virtual DateTime RegDate { get; set; }
43 | 
44 |     /// <summary>
45 |     /// Gets or sets the Authenticator Attestation GUID (AAGUID) for this user.
46 |     /// </summary>
47 |     /// <remarks>
48 |     /// An AAGUID is a 128-bit identifier indicating the type of the authenticator.
49 |     /// </remarks>
50 |     public virtual Guid AaGuid { get; set; }
51 | 
52 |     [NotMapped]
53 |     public PublicKeyCredentialDescriptor? Descriptor
54 |     {
55 |         get { return string.IsNullOrWhiteSpace(DescriptorJson) ? null : JsonSerializer.Deserialize<PublicKeyCredentialDescriptor>(DescriptorJson); }
56 |         set { DescriptorJson = JsonSerializer.Serialize(value); }
57 |     }
58 | 
59 |     public virtual string? DescriptorJson { get; set; }
60 | }
61 | 


--------------------------------------------------------------------------------
/IdentityProvider/Fido2/MfaFido2RegisterController.cs:
--------------------------------------------------------------------------------
  1 | using Fido2NetLib;
  2 | using Fido2NetLib.Objects;
  3 | using Microsoft.AspNetCore.Identity;
  4 | using Microsoft.AspNetCore.Mvc;
  5 | using Microsoft.Extensions.Options;
  6 | using OpeniddictServer.Data;
  7 | using System.Text;
  8 | using static Fido2NetLib.Fido2;
  9 | 
 10 | namespace Fido2Identity;
 11 | 
 12 | [Route("api/[controller]")]
 13 | public class MfaFido2RegisterController : Controller
 14 | {
 15 |     private readonly Fido2 _lib;
 16 |     public static IMetadataService? _mds;
 17 |     private readonly Fido2Store _fido2Store;
 18 |     private readonly UserManager<ApplicationUser> _userManager;
 19 |     private readonly IOptions<Fido2Configuration> _optionsFido2Configuration;
 20 | 
 21 |     public MfaFido2RegisterController(
 22 |         Fido2Store fido2Store,
 23 |         UserManager<ApplicationUser> userManager,
 24 |         IOptions<Fido2Configuration> optionsFido2Configuration)
 25 |     {
 26 |         _userManager = userManager;
 27 |         _optionsFido2Configuration = optionsFido2Configuration;
 28 |         _fido2Store = fido2Store;
 29 | 
 30 |         _lib = new Fido2(new Fido2Configuration()
 31 |         {
 32 |             ServerDomain = _optionsFido2Configuration.Value.ServerDomain,
 33 |             ServerName = _optionsFido2Configuration.Value.ServerName,
 34 |             Origins = _optionsFido2Configuration.Value.Origins,
 35 |             TimestampDriftTolerance = _optionsFido2Configuration.Value.TimestampDriftTolerance
 36 |         });
 37 |     }
 38 | 
 39 |     private static string FormatException(Exception e)
 40 |     {
 41 |         return string.Format("{0}{1}", e.Message, e.InnerException != null ? " (" + e.InnerException.Message + ")" : "");
 42 |     }
 43 | 
 44 |     [HttpPost]
 45 |     [ValidateAntiForgeryToken]
 46 |     [Route("/mfamakeCredentialOptions")]
 47 |     public async Task<JsonResult> MakeCredentialOptions([FromForm] string username, [FromForm] string displayName, [FromForm] string attType, [FromForm] string authType, [FromForm] bool requireResidentKey, [FromForm] string userVerification)
 48 |     {
 49 |         try
 50 |         {
 51 |             if (string.IsNullOrEmpty(username))
 52 |             {
 53 |                 username = $"{displayName} (Usernameless user created at {DateTime.UtcNow})";
 54 |             }
 55 | 
 56 |             var ApplicationUser = await _userManager.FindByEmailAsync(username);
 57 |             var user = new Fido2User
 58 |             {
 59 |                 DisplayName = ApplicationUser.UserName,
 60 |                 Name = ApplicationUser.UserName,
 61 |                 Id = Encoding.UTF8.GetBytes(ApplicationUser.UserName) // byte representation of userID is required
 62 |             };
 63 | 
 64 |             // 2. Get user existing keys by username
 65 |             var items = await _fido2Store.GetCredentialsByUserNameAsync(ApplicationUser.UserName);
 66 |             var existingKeys = new List<PublicKeyCredentialDescriptor>();
 67 |             foreach (var publicKeyCredentialDescriptor in items)
 68 |             {
 69 |                 if (publicKeyCredentialDescriptor.Descriptor != null)
 70 |                     existingKeys.Add(publicKeyCredentialDescriptor.Descriptor);
 71 |             }
 72 | 
 73 |             // 3. Create options
 74 |             var authenticatorSelection = new AuthenticatorSelection
 75 |             {
 76 |                 RequireResidentKey = requireResidentKey,
 77 |                 UserVerification = userVerification.ToEnum<UserVerificationRequirement>()
 78 |             };
 79 | 
 80 |             if (!string.IsNullOrEmpty(authType))
 81 |                 authenticatorSelection.AuthenticatorAttachment = authType.ToEnum<AuthenticatorAttachment>();
 82 | 
 83 |             var exts = new AuthenticationExtensionsClientInputs
 84 |             {
 85 |                 Extensions = true,
 86 |                 UserVerificationMethod = true,
 87 |             };
 88 | 
 89 |             var options = _lib.RequestNewCredential(
 90 |                 user, existingKeys,
 91 |                 authenticatorSelection, attType.ToEnum<AttestationConveyancePreference>(), exts);
 92 | 
 93 |             // 4. Temporarily store options, session/in-memory cache/redis/db
 94 |             HttpContext.Session.SetString("fido2.attestationOptions", options.ToJson());
 95 | 
 96 |             // 5. return options to client
 97 |             return Json(options);
 98 |         }
 99 |         catch (Exception e)
100 |         {
101 |             return Json(new CredentialCreateOptions { Status = "error", ErrorMessage = FormatException(e) });
102 |         }
103 |     }
104 | 
105 |     [HttpPost]
106 |     [ValidateAntiForgeryToken]
107 |     [Route("/mfamakeCredential")]
108 |     public async Task<JsonResult> MakeCredential([FromBody] AuthenticatorAttestationRawResponse attestationResponse)
109 |     {
110 |         try
111 |         {
112 |             // 1. get the options we sent the client
113 |             var jsonOptions = HttpContext.Session.GetString("fido2.attestationOptions");
114 |             var options = CredentialCreateOptions.FromJson(jsonOptions);
115 | 
116 |             // 2. Create callback so that lib can verify credential id is unique to this user
117 |             async Task<bool> callback(IsCredentialIdUniqueToUserParams args, CancellationToken cancellationToken)
118 |             {
119 |                 var users = await _fido2Store.GetUsersByCredentialIdAsync(args.CredentialId);
120 |                 if (users.Count > 0) return false;
121 | 
122 |                 return true;
123 |             }
124 | 
125 |             // 2. Verify and make the credentials
126 |             var success = await _lib.MakeNewCredentialAsync(attestationResponse, options, callback);
127 | 
128 |             if (success.Result != null)
129 |             {
130 |                 // 3. Store the credentials in db
131 |                 await _fido2Store.AddCredentialToUserAsync(options.User, new FidoStoredCredential
132 |                 {
133 |                     UserName = options.User.Name,
134 |                     Descriptor = new PublicKeyCredentialDescriptor(success.Result.CredentialId),
135 |                     PublicKey = success.Result.PublicKey,
136 |                     UserHandle = success.Result.User.Id,
137 |                     SignatureCounter = success.Result.Counter,
138 |                     CredType = success.Result.CredType,
139 |                     RegDate = DateTime.Now,
140 |                     AaGuid = success.Result.Aaguid
141 |                 });
142 |             }
143 | 
144 |             // 4. return "ok" to the client
145 | 
146 |             var user = await _userManager.GetUserAsync(User);
147 |             if (user == null)
148 |             {
149 |                 return Json(new CredentialMakeResult("error",
150 |                         $"Unable to load user with ID '{_userManager.GetUserId(User)}'.",
151 |                         success.Result));
152 |             }
153 | 
154 |             await _userManager.SetTwoFactorEnabledAsync(user, true);
155 |             var userId = await _userManager.GetUserIdAsync(user);
156 | 
157 |             return Json(success);
158 |         }
159 |         catch (Exception e)
160 |         {
161 |             return Json(new CredentialMakeResult("error", FormatException(e), null));
162 |         }
163 |     }
164 | }


--------------------------------------------------------------------------------
/IdentityProvider/Fido2/MfaFido2SignInFidoController.cs:
--------------------------------------------------------------------------------
  1 | using Fido2NetLib;
  2 | using Fido2NetLib.Objects;
  3 | using Microsoft.AspNetCore.Identity;
  4 | using Microsoft.AspNetCore.Mvc;
  5 | using Microsoft.Extensions.Options;
  6 | using OpeniddictServer.Data;
  7 | using System.Text;
  8 | 
  9 | namespace Fido2Identity;
 10 | 
 11 | [Route("api/[controller]")]
 12 | public class MfaFido2SignInFidoController : Controller
 13 | {
 14 |     private readonly Fido2 _lib;
 15 |     private readonly Fido2Store _fido2Store;
 16 |     private readonly SignInManager<ApplicationUser> _signInManager;
 17 |     private readonly IOptions<Fido2Configuration> _optionsFido2Configuration;
 18 | 
 19 |     public MfaFido2SignInFidoController(
 20 |         Fido2Store fido2Store,
 21 |         SignInManager<ApplicationUser> signInManager,
 22 |         IOptions<Fido2Configuration> optionsFido2Configuration)
 23 |     {
 24 |         _optionsFido2Configuration = optionsFido2Configuration;
 25 |         _signInManager = signInManager;
 26 |         _fido2Store = fido2Store;
 27 | 
 28 |         _lib = new Fido2(new Fido2Configuration()
 29 |         {
 30 |             ServerDomain = _optionsFido2Configuration.Value.ServerDomain,
 31 |             ServerName = _optionsFido2Configuration.Value.ServerName,
 32 |             Origins = _optionsFido2Configuration.Value.Origins,
 33 |             TimestampDriftTolerance = _optionsFido2Configuration.Value.TimestampDriftTolerance
 34 |         });
 35 |     }
 36 | 
 37 |     private static string FormatException(Exception e)
 38 |     {
 39 |         return string.Format("{0}{1}", e.Message, e.InnerException != null ? " (" + e.InnerException.Message + ")" : "");
 40 |     }
 41 | 
 42 |     [HttpPost]
 43 |     [ValidateAntiForgeryToken]
 44 |     [Route("/mfaassertionOptions")]
 45 |     public async Task<ActionResult> AssertionOptionsPost([FromForm] string username, [FromForm] string userVerification)
 46 |     {
 47 |         try
 48 |         {
 49 |             var ApplicationUser = await _signInManager.GetTwoFactorAuthenticationUserAsync();
 50 |             if (ApplicationUser == null)
 51 |             {
 52 |                 throw new InvalidOperationException($"Unable to load two-factor authentication user.");
 53 |             }
 54 | 
 55 |             var existingCredentials = new List<PublicKeyCredentialDescriptor>();
 56 | 
 57 |             if (!string.IsNullOrEmpty(ApplicationUser.UserName))
 58 |             {
 59 | 
 60 |                 var user = new Fido2User
 61 |                 {
 62 |                     DisplayName = ApplicationUser.UserName,
 63 |                     Name = ApplicationUser.UserName,
 64 |                     Id = Encoding.UTF8.GetBytes(ApplicationUser.UserName) // byte representation of userID is required
 65 |                 };
 66 | 
 67 |                 if (user == null) throw new ArgumentException("Username was not registered");
 68 | 
 69 |                 // 2. Get registered credentials from database
 70 |                 var items = await _fido2Store.GetCredentialsByUserNameAsync(ApplicationUser.UserName);
 71 |                 existingCredentials = items.Select(c => c.Descriptor).NotNull().ToList();
 72 |             }
 73 | 
 74 |             var exts = new AuthenticationExtensionsClientInputs
 75 |             {
 76 |                 UserVerificationMethod = true,
 77 |             };
 78 |             // 3. Create options
 79 |             var uv = string.IsNullOrEmpty(userVerification) ? UserVerificationRequirement.Discouraged : userVerification.ToEnum<UserVerificationRequirement>();
 80 |             var options = _lib.GetAssertionOptions(
 81 |                 existingCredentials,
 82 |                 uv,
 83 |                 exts
 84 |             );
 85 | 
 86 |             // 4. Temporarily store options, session/in-memory cache/redis/db
 87 |             HttpContext.Session.SetString("fido2.assertionOptions", options.ToJson());
 88 | 
 89 |             // 5. Return options to client
 90 |             return Json(options);
 91 |         }
 92 | 
 93 |         catch (Exception e)
 94 |         {
 95 |             return Json(new AssertionOptions { Status = "error", ErrorMessage = FormatException(e) });
 96 |         }
 97 |     }
 98 | 
 99 |     [HttpPost]
100 |     [ValidateAntiForgeryToken]
101 |     [Route("/mfamakeAssertion")]
102 |     public async Task<JsonResult> MakeAssertion([FromBody] AuthenticatorAssertionRawResponse clientResponse)
103 |     {
104 |         try
105 |         {
106 |             // 1. Get the assertion options we sent the client
107 |             var jsonOptions = HttpContext.Session.GetString("fido2.assertionOptions");
108 |             var options = AssertionOptions.FromJson(jsonOptions);
109 | 
110 |             // 2. Get registered credential from database
111 |             var creds = await _fido2Store.GetCredentialByIdAsync(clientResponse.Id);
112 | 
113 |             if (creds == null)
114 |             {
115 |                 throw new Exception("Unknown credentials");
116 |             }
117 | 
118 |             // 3. Get credential counter from database
119 |             var storedCounter = creds.SignatureCounter;
120 | 
121 |             // 4. Create callback to check if userhandle owns the credentialId
122 |             IsUserHandleOwnerOfCredentialIdAsync callback = async (args, cancellationToken) =>
123 |             {
124 |                 var storedCreds = await _fido2Store.GetCredentialsByUserHandleAsync(args.UserHandle);
125 |                 return storedCreds.Any(c => c.Descriptor != null && c.Descriptor.Id.SequenceEqual(args.CredentialId));
126 |             };
127 | 
128 |             if (creds.PublicKey == null)
129 |             {
130 |                 throw new InvalidOperationException($"No public key");
131 |             }
132 | 
133 |             // 5. Make the assertion
134 |             var res = await _lib.MakeAssertionAsync(
135 |                 clientResponse, options, creds.PublicKey, storedCounter, callback);
136 | 
137 |             // 6. Store the updated counter
138 |             await _fido2Store.UpdateCounterAsync(res.CredentialId, res.Counter);
139 | 
140 |             // complete sign-in
141 |             var user = await _signInManager.GetTwoFactorAuthenticationUserAsync();
142 |             if (user == null)
143 |             {
144 |                 throw new InvalidOperationException($"Unable to load two-factor authentication user.");
145 |             }
146 | 
147 |             var result = await _signInManager.TwoFactorSignInAsync("FIDO2", string.Empty, false, false);
148 | 
149 |             // 7. return OK to client
150 |             return Json(res);
151 |         }
152 |         catch (Exception e)
153 |         {
154 |             return Json(new AssertionVerificationResult { Status = "error", ErrorMessage = FormatException(e) });
155 |         }
156 |     }
157 | }
158 | 


--------------------------------------------------------------------------------
/IdentityProvider/Fido2/PwFido2RegisterController.cs:
--------------------------------------------------------------------------------
  1 | using Fido2NetLib;
  2 | using Fido2NetLib.Objects;
  3 | using Microsoft.AspNetCore.Identity;
  4 | using Microsoft.AspNetCore.Mvc;
  5 | using Microsoft.Extensions.Options;
  6 | using OpeniddictServer.Data;
  7 | using System.Text;
  8 | using static Fido2NetLib.Fido2;
  9 | 
 10 | namespace Fido2Identity;
 11 | 
 12 | [Route("api/[controller]")]
 13 | public class PwFido2RegisterController : Controller
 14 | {
 15 |     private readonly Fido2 _lib;
 16 |     private readonly Fido2Store _fido2Store;
 17 |     private readonly UserManager<ApplicationUser> _userManager;
 18 |     private readonly IOptions<Fido2Configuration> _optionsFido2Configuration;
 19 | 
 20 | 
 21 |     public PwFido2RegisterController(
 22 |         Fido2Store fido2Store,
 23 |         UserManager<ApplicationUser> userManager,
 24 |         IOptions<Fido2Configuration> optionsFido2Configuration)
 25 |     {
 26 |         _userManager = userManager;
 27 |         _optionsFido2Configuration = optionsFido2Configuration;
 28 |         _fido2Store = fido2Store;
 29 | 
 30 |         _lib = new Fido2(new Fido2Configuration()
 31 |         {
 32 |             ServerDomain = _optionsFido2Configuration.Value.ServerDomain,
 33 |             ServerName = _optionsFido2Configuration.Value.ServerName,
 34 |             Origins = _optionsFido2Configuration.Value.Origins,
 35 |             TimestampDriftTolerance = _optionsFido2Configuration.Value.TimestampDriftTolerance
 36 |         });
 37 |     }
 38 | 
 39 |     private static string FormatException(Exception e)
 40 |     {
 41 |         return string.Format("{0}{1}", e.Message, e.InnerException != null ? " (" + e.InnerException.Message + ")" : "");
 42 |     }
 43 | 
 44 |     [HttpPost]
 45 |     [ValidateAntiForgeryToken]
 46 |     [Route("/pwmakeCredentialOptions")]
 47 |     public async Task<JsonResult> MakeCredentialOptions([FromForm] string username, [FromForm] string displayName, [FromForm] string attType, [FromForm] string authType, [FromForm] bool requireResidentKey, [FromForm] string userVerification)
 48 |     {
 49 |         try
 50 |         {
 51 |             if (string.IsNullOrEmpty(username))
 52 |             {
 53 |                 username = $"{displayName} (Usernameless user created at {DateTime.UtcNow})";
 54 |             }
 55 | 
 56 |             var user = new Fido2User
 57 |             {
 58 |                 DisplayName = displayName,
 59 |                 Name = username,
 60 |                 Id = Encoding.UTF8.GetBytes(username) // byte representation of userID is required
 61 |             };
 62 | 
 63 |             // 2. Get user existing keys by username
 64 |             var items = await _fido2Store.GetCredentialsByUserNameAsync(username);
 65 |             var existingKeys = new List<PublicKeyCredentialDescriptor>();
 66 |             foreach (var publicKeyCredentialDescriptor in items)
 67 |             {
 68 |                 if (publicKeyCredentialDescriptor.Descriptor != null)
 69 |                     existingKeys.Add(publicKeyCredentialDescriptor.Descriptor);
 70 |             }
 71 | 
 72 |             // 3. Create options
 73 |             var authenticatorSelection = new AuthenticatorSelection
 74 |             {
 75 |                 RequireResidentKey = requireResidentKey,
 76 |                 UserVerification = userVerification.ToEnum<UserVerificationRequirement>()
 77 |             };
 78 | 
 79 |             if (!string.IsNullOrEmpty(authType))
 80 |                 authenticatorSelection.AuthenticatorAttachment = authType.ToEnum<AuthenticatorAttachment>();
 81 | 
 82 |             var exts = new AuthenticationExtensionsClientInputs
 83 |             {
 84 |                 Extensions = true,
 85 |                 UserVerificationMethod = true,
 86 |             };
 87 | 
 88 |             var options = _lib.RequestNewCredential(user, existingKeys, authenticatorSelection, attType.ToEnum<AttestationConveyancePreference>(), exts);
 89 | 
 90 |             // 4. Temporarily store options, session/in-memory cache/redis/db
 91 |             HttpContext.Session.SetString("fido2.attestationOptions", options.ToJson());
 92 | 
 93 |             // 5. return options to client
 94 |             return Json(options);
 95 |         }
 96 |         catch (Exception e)
 97 |         {
 98 |             return Json(new CredentialCreateOptions { Status = "error", ErrorMessage = FormatException(e) });
 99 |         }
100 |     }
101 | 
102 |     [HttpPost]
103 |     [ValidateAntiForgeryToken]
104 |     [Route("/pwmakeCredential")]
105 |     public async Task<JsonResult> MakeCredential([FromBody] AuthenticatorAttestationRawResponse attestationResponse)
106 |     {
107 |         try
108 |         {
109 |             // 1. get the options we sent the client
110 |             var jsonOptions = HttpContext.Session.GetString("fido2.attestationOptions");
111 |             var options = CredentialCreateOptions.FromJson(jsonOptions);
112 | 
113 |             // 2. Create callback so that lib can verify credential id is unique to this user
114 |             IsCredentialIdUniqueToUserAsyncDelegate callback = async (args, cancellationToken) =>
115 |             {
116 |                 var users = await _fido2Store.GetUsersByCredentialIdAsync(args.CredentialId);
117 |                 if (users.Count > 0) return false;
118 | 
119 |                 return true;
120 |             };
121 | 
122 |             // 2. Verify and make the credentials
123 |             var success = await _lib.MakeNewCredentialAsync(attestationResponse, options, callback);
124 | 
125 |             if (success.Result != null)
126 |             {
127 |                 // 3. Store the credentials in db
128 |                 await _fido2Store.AddCredentialToUserAsync(options.User, new FidoStoredCredential
129 |                 {
130 |                     UserName = options.User.Name,
131 |                     Descriptor = new PublicKeyCredentialDescriptor(success.Result.CredentialId),
132 |                     PublicKey = success.Result.PublicKey,
133 |                     UserHandle = success.Result.User.Id,
134 |                     SignatureCounter = success.Result.Counter,
135 |                     CredType = success.Result.CredType,
136 |                     RegDate = DateTime.Now,
137 |                     AaGuid = success.Result.Aaguid
138 |                 });
139 |             }
140 | 
141 |             // 4. return "ok" to the client
142 | 
143 |             var user = await CreateUser(options.User.Name);
144 |             // await _userManager.GetUserAsync(User);
145 | 
146 |             if (user == null)
147 |             {
148 |                 return Json(new CredentialMakeResult("error",
149 |                     $"Unable to load user with ID '{_userManager.GetUserId(User)}'.",
150 |                     success.Result));
151 |             }
152 | 
153 |             //await _userManager.SetTwoFactorEnabledAsync(user, true);
154 |             //var userId = await _userManager.FindByNameAsync(user);
155 | 
156 |             return Json(success);
157 |         }
158 |         catch (Exception e)
159 |         {
160 |             return Json(new CredentialMakeResult("error", FormatException(e), null));
161 |         }
162 |     }
163 | 
164 |     private async Task<ApplicationUser> CreateUser(string userEmail)
165 |     {
166 |         var user = new ApplicationUser { UserName = userEmail, Email = userEmail, EmailConfirmed = true };
167 |         var result = await _userManager.CreateAsync(user);
168 |         if (result.Succeeded)
169 |         {
170 |             //await _signInManager.SignInAsync(user, isPersistent: false);
171 |         }
172 | 
173 |         return user;
174 |     }
175 | }


--------------------------------------------------------------------------------
/IdentityProvider/Fido2/PwFido2SignInController.cs:
--------------------------------------------------------------------------------
  1 | using Fido2NetLib;
  2 | using Fido2NetLib.Objects;
  3 | using Microsoft.AspNetCore.Identity;
  4 | using Microsoft.AspNetCore.Mvc;
  5 | using Microsoft.Extensions.Options;
  6 | using OpeniddictServer.Data;
  7 | using System.Text;
  8 | 
  9 | namespace Fido2Identity;
 10 | 
 11 | [Route("api/[controller]")]
 12 | public class PwFido2SignInController : Controller
 13 | {
 14 |     private readonly Fido2 _lib;
 15 |     private readonly Fido2Store _fido2Store;
 16 |     private readonly UserManager<ApplicationUser> _userManager;
 17 |     private readonly SignInManager<ApplicationUser> _signInManager;
 18 |     private readonly IOptions<Fido2Configuration> _optionsFido2Configuration;
 19 | 
 20 |     public PwFido2SignInController(
 21 |         Fido2Store fido2Store,
 22 |         UserManager<ApplicationUser> userManager,
 23 |         SignInManager<ApplicationUser> signInManager,
 24 |         IOptions<Fido2Configuration> optionsFido2Configuration)
 25 |     {
 26 |         _userManager = userManager;
 27 |         _optionsFido2Configuration = optionsFido2Configuration;
 28 |         _signInManager = signInManager;
 29 |         _userManager = userManager;
 30 |         _fido2Store = fido2Store;
 31 | 
 32 |         _lib = new Fido2(new Fido2Configuration()
 33 |         {
 34 |             ServerDomain = _optionsFido2Configuration.Value.ServerDomain,
 35 |             ServerName = _optionsFido2Configuration.Value.ServerName,
 36 |             Origins = _optionsFido2Configuration.Value.Origins,
 37 |             TimestampDriftTolerance = _optionsFido2Configuration.Value.TimestampDriftTolerance
 38 |         });
 39 |     }
 40 | 
 41 |     private static string FormatException(Exception e)
 42 |     {
 43 |         return string.Format("{0}{1}", e.Message, e.InnerException != null ? " (" + e.InnerException.Message + ")" : "");
 44 |     }
 45 | 
 46 |     [HttpPost]
 47 |     [ValidateAntiForgeryToken]
 48 |     [Route("/pwassertionOptions")]
 49 |     public async Task<ActionResult> AssertionOptionsPost([FromForm] string username, [FromForm] string userVerification)
 50 |     {
 51 |         try
 52 |         {
 53 | 
 54 |             var existingCredentials = new List<PublicKeyCredentialDescriptor>();
 55 | 
 56 |             if (!string.IsNullOrEmpty(username))
 57 |             {
 58 |                 var ApplicationUser = await _userManager.FindByNameAsync(username);
 59 |                 var user = new Fido2User
 60 |                 {
 61 |                     DisplayName = ApplicationUser.UserName,
 62 |                     Name = ApplicationUser.UserName,
 63 |                     Id = Encoding.UTF8.GetBytes(ApplicationUser.UserName) // byte representation of userID is required
 64 |                 };
 65 | 
 66 |                 if (user == null) throw new ArgumentException("Username was not registered");
 67 | 
 68 |                 // 2. Get registered credentials from database
 69 |                 var items = await _fido2Store.GetCredentialsByUserNameAsync(ApplicationUser.UserName);
 70 |                 existingCredentials = items.Select(c => c.Descriptor).NotNull().ToList();
 71 |             }
 72 | 
 73 |             var exts = new AuthenticationExtensionsClientInputs
 74 |             {
 75 |                 UserVerificationMethod = true,
 76 |             };
 77 | 
 78 |             // 3. Create options
 79 |             var uv = string.IsNullOrEmpty(userVerification) ? UserVerificationRequirement.Discouraged : userVerification.ToEnum<UserVerificationRequirement>();
 80 |             var options = _lib.GetAssertionOptions(
 81 |                 existingCredentials,
 82 |                 uv,
 83 |                 exts
 84 |             );
 85 | 
 86 |             // 4. Temporarily store options, session/in-memory cache/redis/db
 87 |             HttpContext.Session.SetString("fido2.assertionOptions", options.ToJson());
 88 | 
 89 |             // 5. Return options to client
 90 |             return Json(options);
 91 |         }
 92 | 
 93 |         catch (Exception e)
 94 |         {
 95 |             return Json(new AssertionOptions { Status = "error", ErrorMessage = FormatException(e) });
 96 |         }
 97 |     }
 98 | 
 99 |     [HttpPost]
100 |     [ValidateAntiForgeryToken]
101 |     [Route("/pwmakeAssertion")]
102 |     public async Task<JsonResult> MakeAssertion([FromBody] AuthenticatorAssertionRawResponse clientResponse)
103 |     {
104 |         try
105 |         {
106 |             // 1. Get the assertion options we sent the client
107 |             var jsonOptions = HttpContext.Session.GetString("fido2.assertionOptions");
108 |             var options = AssertionOptions.FromJson(jsonOptions);
109 | 
110 |             // 2. Get registered credential from database
111 |             var creds = await _fido2Store.GetCredentialByIdAsync(clientResponse.Id);
112 | 
113 |             if (creds == null)
114 |             {
115 |                 throw new Exception("Unknown credentials");
116 |             }
117 | 
118 |             // 3. Get credential counter from database
119 |             var storedCounter = creds.SignatureCounter;
120 | 
121 |             // 4. Create callback to check if userhandle owns the credentialId
122 |             IsUserHandleOwnerOfCredentialIdAsync callback = async (args, cancellationToken) =>
123 |             {
124 |                 var storedCreds = await _fido2Store.GetCredentialsByUserHandleAsync(args.UserHandle);
125 |                 return storedCreds.Any(c => c.Descriptor != null && c.Descriptor.Id.SequenceEqual(args.CredentialId));
126 |             };
127 | 
128 |             if (creds.PublicKey == null)
129 |             {
130 |                 throw new InvalidOperationException($"No public key");
131 |             }
132 | 
133 |             // 5. Make the assertion
134 |             var res = await _lib.MakeAssertionAsync(
135 |                 clientResponse, options, creds.PublicKey, storedCounter, callback);
136 | 
137 |             // 6. Store the updated counter
138 |             await _fido2Store.UpdateCounterAsync(res.CredentialId, res.Counter);
139 | 
140 |             var ApplicationUser = await _userManager.FindByNameAsync(creds.UserName);
141 |             if (ApplicationUser == null)
142 |             {
143 |                 throw new InvalidOperationException($"Unable to load user.");
144 |             }
145 | 
146 |             await _signInManager.SignInAsync(ApplicationUser, isPersistent: false);
147 | 
148 |             // 7. return OK to client
149 |             return Json(res);
150 |         }
151 |         catch (Exception e)
152 |         {
153 |             return Json(new AssertionVerificationResult { Status = "error", ErrorMessage = FormatException(e) });
154 |         }
155 |     }
156 | }
157 | 


--------------------------------------------------------------------------------
/IdentityProvider/Helpers/AsyncEnumerableExtensions.cs:
--------------------------------------------------------------------------------
 1 | namespace OpeniddictServer.Helpers;
 2 | 
 3 | public static class AsyncEnumerableExtensions
 4 | {
 5 |     public static Task<List<T>> ToListAsync<T>(this IAsyncEnumerable<T> source)
 6 |     {
 7 |         if (source == null)
 8 |         {
 9 |             throw new ArgumentNullException(nameof(source));
10 |         }
11 | 
12 |         return ExecuteAsync();
13 | 
14 |         async Task<List<T>> ExecuteAsync()
15 |         {
16 |             var list = new List<T>();
17 | 
18 |             await foreach (var element in source)
19 |             {
20 |                 list.Add(element);
21 |             }
22 | 
23 |             return list;
24 |         }
25 |     }
26 | }
27 | 


--------------------------------------------------------------------------------
/IdentityProvider/Helpers/FormValueRequiredAttribute.cs:
--------------------------------------------------------------------------------
 1 | using Microsoft.AspNetCore.Mvc.Abstractions;
 2 | using Microsoft.AspNetCore.Mvc.ActionConstraints;
 3 | 
 4 | namespace OpeniddictServer.Helpers;
 5 | 
 6 | public sealed class FormValueRequiredAttribute : ActionMethodSelectorAttribute
 7 | {
 8 |     private readonly string _name;
 9 | 
10 |     public FormValueRequiredAttribute(string name)
11 |     {
12 |         _name = name;
13 |     }
14 | 
15 |     public override bool IsValidForRequest(RouteContext context, ActionDescriptor action)
16 |     {
17 |         if (string.Equals(context.HttpContext.Request.Method, "GET", StringComparison.OrdinalIgnoreCase) ||
18 |             string.Equals(context.HttpContext.Request.Method, "HEAD", StringComparison.OrdinalIgnoreCase) ||
19 |             string.Equals(context.HttpContext.Request.Method, "DELETE", StringComparison.OrdinalIgnoreCase) ||
20 |             string.Equals(context.HttpContext.Request.Method, "TRACE", StringComparison.OrdinalIgnoreCase))
21 |         {
22 |             return false;
23 |         }
24 | 
25 |         if (string.IsNullOrEmpty(context.HttpContext.Request.ContentType))
26 |         {
27 |             return false;
28 |         }
29 | 
30 |         if (!context.HttpContext.Request.ContentType.StartsWith("application/x-www-form-urlencoded", StringComparison.OrdinalIgnoreCase))
31 |         {
32 |             return false;
33 |         }
34 | 
35 |         return !string.IsNullOrEmpty(context.HttpContext.Request.Form[_name]);
36 |     }
37 | }
38 | 


--------------------------------------------------------------------------------
/IdentityProvider/IdentityProvider.csproj:
--------------------------------------------------------------------------------
 1 | <Project Sdk="Microsoft.NET.Sdk.Web">
 2 | 
 3 |   <PropertyGroup>
 4 |     <TargetFramework>net9.0</TargetFramework>
 5 |     <CopyRefAssembliesToPublishDirectory>false</CopyRefAssembliesToPublishDirectory>
 6 |     <UserSecretsId>728e892b-c8e1-40df-a44c-805a4a138e98</UserSecretsId>
 7 |     <ImplicitUsings>enable</ImplicitUsings>
 8 |     <!--<Nullable>enable</Nullable>-->
 9 |   </PropertyGroup>
10 | 
11 |   <ItemGroup>
12 |     <PackageReference Include="Fido2" Version="3.0.1" />
13 |     <PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="9.0.5" />
14 |     <PackageReference Include="Microsoft.AspNetCore.Diagnostics.EntityFrameworkCore" Version="9.0.5" />
15 |     <PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="9.0.5" />
16 |     <PackageReference Include="Microsoft.AspNetCore.Identity.UI" Version="9.0.5" />
17 |     <PackageReference Include="Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation" Version="9.0.5" />
18 |     <PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="9.0.5" />
19 |     <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" PrivateAssets="All" Version="9.0.5" />
20 |     <PackageReference Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="9.0.0" />
21 |     <PackageReference Include="OpenIddict.AspNetCore" Version="6.3.0" />
22 |     <PackageReference Include="OpenIddict.EntityFrameworkCore" Version="6.3.0" />
23 |     <PackageReference Include="OpenIddict.Quartz" Version="6.3.0" />
24 |     <PackageReference Include="Quartz.Extensions.Hosting" Version="3.14.0" />
25 |   </ItemGroup>
26 | 
27 |   <ItemGroup>
28 |     <Folder Include="Migrations\" />
29 |   </ItemGroup>
30 | 
31 | </Project>
32 | 


--------------------------------------------------------------------------------
/IdentityProvider/Migrations/20240229095541_UpdateOidc.cs:
--------------------------------------------------------------------------------
 1 | using Microsoft.EntityFrameworkCore.Migrations;
 2 | 
 3 | #nullable disable
 4 | 
 5 | namespace IdentityProvider.Migrations
 6 | {
 7 |     /// <inheritdoc />
 8 |     public partial class UpdateOidc : Migration
 9 |     {
10 |         /// <inheritdoc />
11 |         protected override void Up(MigrationBuilder migrationBuilder)
12 |         {
13 | 
14 |         }
15 | 
16 |         /// <inheritdoc />
17 |         protected override void Down(MigrationBuilder migrationBuilder)
18 |         {
19 | 
20 |         }
21 |     }
22 | }
23 | 


--------------------------------------------------------------------------------
/IdentityProvider/Migrations/20240229100936_update-oidc.cs:
--------------------------------------------------------------------------------
 1 | using Microsoft.EntityFrameworkCore.Migrations;
 2 | 
 3 | #nullable disable
 4 | 
 5 | namespace IdentityProvider.Migrations
 6 | {
 7 |     /// <inheritdoc />
 8 |     public partial class updateoidc : Migration
 9 |     {
10 |         /// <inheritdoc />
11 |         protected override void Up(MigrationBuilder migrationBuilder)
12 |         {
13 |             migrationBuilder.RenameColumn(
14 |                 name: "Type",
15 |                 table: "OpenIddictApplications",
16 |                 newName: "ClientType");
17 | 
18 |             migrationBuilder.AddColumn<string>(
19 |                 name: "ApplicationType",
20 |                 table: "OpenIddictApplications",
21 |                 type: "TEXT",
22 |                 maxLength: 50,
23 |                 nullable: true);
24 | 
25 |             migrationBuilder.AddColumn<string>(
26 |                 name: "JsonWebKeySet",
27 |                 table: "OpenIddictApplications",
28 |                 type: "TEXT",
29 |                 nullable: true);
30 | 
31 |             migrationBuilder.AddColumn<string>(
32 |                 name: "Settings",
33 |                 table: "OpenIddictApplications",
34 |                 type: "TEXT",
35 |                 nullable: true);
36 |         }
37 | 
38 |         /// <inheritdoc />
39 |         protected override void Down(MigrationBuilder migrationBuilder)
40 |         {
41 |             migrationBuilder.DropColumn(
42 |                 name: "ApplicationType",
43 |                 table: "OpenIddictApplications");
44 | 
45 |             migrationBuilder.DropColumn(
46 |                 name: "JsonWebKeySet",
47 |                 table: "OpenIddictApplications");
48 | 
49 |             migrationBuilder.DropColumn(
50 |                 name: "Settings",
51 |                 table: "OpenIddictApplications");
52 | 
53 |             migrationBuilder.RenameColumn(
54 |                 name: "ClientType",
55 |                 table: "OpenIddictApplications",
56 |                 newName: "Type");
57 |         }
58 |     }
59 | }
60 | 


--------------------------------------------------------------------------------
/IdentityProvider/Program.cs:
--------------------------------------------------------------------------------
  1 | using Fido2Identity;
  2 | using Fido2NetLib;
  3 | using Microsoft.AspNetCore.Identity;
  4 | using Microsoft.EntityFrameworkCore;
  5 | using Microsoft.IdentityModel.Logging;
  6 | using OpeniddictServer;
  7 | using OpeniddictServer.Data;
  8 | using Quartz;
  9 | using System.IdentityModel.Tokens.Jwt;
 10 | using static OpenIddict.Abstractions.OpenIddictConstants;
 11 | var builder = WebApplication.CreateBuilder(args);
 12 | 
 13 | var services = builder.Services;
 14 | var configuration = builder.Configuration;
 15 | 
 16 | services.AddControllersWithViews();
 17 | services.AddRazorPages();
 18 | 
 19 | services.AddCors(options =>
 20 | {
 21 |     options.AddPolicy("AllowAllOrigins",
 22 |         builder =>
 23 |         {
 24 |             builder
 25 |                 .AllowCredentials()
 26 |                 .WithOrigins(
 27 |                     "https://localhost:4200")
 28 |                 .SetIsOriginAllowedToAllowWildcardSubdomains()
 29 |                 .AllowAnyHeader()
 30 |                 .AllowAnyMethod();
 31 |         });
 32 | });
 33 | 
 34 | services.AddDbContext<ApplicationDbContext>(options =>
 35 | {
 36 |     // Configure the context to use Microsoft SQL Server.
 37 |     options.UseSqlite(configuration.GetConnectionString("DefaultConnection"));
 38 | 
 39 |     // Register the entity sets needed by OpenIddict.
 40 |     // Note: use the generic overload if you need
 41 |     // to replace the default OpenIddict entities.
 42 |     options.UseOpenIddict();
 43 | });
 44 | 
 45 | services.AddDatabaseDeveloperPageExceptionFilter();
 46 | 
 47 | services.AddIdentity<ApplicationUser, IdentityRole>()
 48 |   .AddEntityFrameworkStores<ApplicationDbContext>()
 49 |   .AddDefaultTokenProviders()
 50 |   .AddDefaultUI()
 51 |   .AddTokenProvider<Fido2UserTwoFactorTokenProvider>("FIDO2");
 52 | 
 53 | services.Configure<Fido2Configuration>(configuration.GetSection("fido2"));
 54 | services.AddScoped<Fido2Store>();
 55 | 
 56 | services.AddDistributedMemoryCache();
 57 | 
 58 | services.AddSession(options =>
 59 | {
 60 |     options.IdleTimeout = TimeSpan.FromMinutes(2);
 61 |     options.Cookie.HttpOnly = true;
 62 |     options.Cookie.SameSite = SameSiteMode.None;
 63 |     options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
 64 | });
 65 | 
 66 | services.Configure<IdentityOptions>(options =>
 67 | {
 68 |     // Configure Identity to use the same JWT claims as OpenIddict instead
 69 |     // of the legacy WS-Federation claims it uses by default (ClaimTypes),
 70 |     // which saves you from doing the mapping in your authorization controller.
 71 |     options.ClaimsIdentity.UserNameClaimType = Claims.Name;
 72 |     options.ClaimsIdentity.UserIdClaimType = Claims.Subject;
 73 |     options.ClaimsIdentity.RoleClaimType = Claims.Role;
 74 |     options.ClaimsIdentity.EmailClaimType = Claims.Email;
 75 | 
 76 |     // Note: to require account confirmation before login,
 77 |     // register an email sender service (IEmailSender) and
 78 |     // set options.SignIn.RequireConfirmedAccount to true.
 79 |     //
 80 |     // For more information, visit https://aka.ms/aspaccountconf.
 81 |     options.SignIn.RequireConfirmedAccount = false;
 82 | });
 83 | 
 84 | // OpenIddict offers native integration with Quartz.NET to perform scheduled tasks
 85 | // (like pruning orphaned authorizations/tokens from the database) at regular intervals.
 86 | services.AddQuartz(options =>
 87 | {
 88 |     options.UseSimpleTypeLoader();
 89 |     options.UseInMemoryStore();
 90 | });
 91 | 
 92 | // Register the Quartz.NET service and configure it to block shutdown until jobs are complete.
 93 | services.AddQuartzHostedService(options => options.WaitForJobsToComplete = true);
 94 | 
 95 | services.AddOpenIddict()
 96 | 
 97 |     // Register the OpenIddict core components.
 98 |     .AddCore(options =>
 99 |     {
100 |         // Configure OpenIddict to use the Entity Framework Core stores and models.
101 |         // Note: call ReplaceDefaultEntities() to replace the default OpenIddict entities.
102 |         options.UseEntityFrameworkCore()
103 |                .UseDbContext<ApplicationDbContext>();
104 | 
105 |         // Enable Quartz.NET integration.
106 |         options.UseQuartz();
107 |     })
108 | 
109 |     // Register the OpenIddict server components.
110 |     .AddServer(options =>
111 |     {
112 |         // Enable the authorization, logout, token and userinfo endpoints.
113 |         options.SetAuthorizationEndpointUris("/connect/authorize")
114 |             .SetEndSessionEndpointUris("/connect/logout")
115 |             .SetIntrospectionEndpointUris("/connect/introspect")
116 |             .SetTokenEndpointUris("/connect/token")
117 |             .SetUserInfoEndpointUris("/connect/userinfo")
118 |             .SetEndUserVerificationEndpointUris("/connect/verify");
119 | 
120 |         // Note: this sample uses the code, device code, password and refresh token flows, but you
121 |         // can enable the other flows if you need to support implicit or client credentials.
122 |         options.AllowAuthorizationCodeFlow()
123 |             .AllowClientCredentialsFlow()
124 |             .AllowHybridFlow()
125 |             .AllowRefreshTokenFlow();
126 | 
127 |         // Mark the "email", "profile", "roles" and "dataEventRecords" scopes as supported scopes.
128 |         options.RegisterScopes(Scopes.Email, Scopes.Profile, Scopes.Roles, "dataEventRecords");
129 | 
130 |         // remove this with introspection, added security
131 |         options.DisableAccessTokenEncryption();
132 | 
133 |         // Register the signing and encryption credentials.
134 |         options.AddDevelopmentEncryptionCertificate()
135 |                .AddDevelopmentSigningCertificate();
136 | 
137 |         // Register the ASP.NET Core host and configure the ASP.NET Core-specific options.
138 |         options.UseAspNetCore()
139 |                .EnableAuthorizationEndpointPassthrough()
140 |                .EnableEndSessionEndpointPassthrough()
141 |                .EnableTokenEndpointPassthrough()
142 |                .EnableUserInfoEndpointPassthrough()
143 |                .EnableStatusCodePagesIntegration();
144 |     })
145 | 
146 |     // Register the OpenIddict validation components.
147 |     .AddValidation(options =>
148 |     {
149 |         // Import the configuration from the local OpenIddict server instance.
150 |         options.UseLocalServer();
151 | 
152 |         // Register the ASP.NET Core host.
153 |         options.UseAspNetCore();
154 |     });
155 | 
156 | // Register the worker responsible of seeding the database.
157 | // Note: in a real world application, this step should be part of a setup script.
158 | services.AddHostedService<Worker>();
159 | 
160 | 
161 | var app = builder.Build();
162 | 
163 | IdentityModelEventSource.ShowPII = true;
164 | JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear();
165 | 
166 | if (app.Environment.IsDevelopment())
167 | {
168 |     app.UseDeveloperExceptionPage();
169 |     app.UseMigrationsEndPoint();
170 | }
171 | else
172 | {
173 |     app.UseStatusCodePagesWithReExecute("~/error");
174 | }
175 | 
176 | app.UseCors("AllowAllOrigins");
177 | 
178 | app.UseHttpsRedirection();
179 | app.UseStaticFiles();
180 | 
181 | app.UseRouting();
182 | 
183 | app.UseAuthentication();
184 | app.UseAuthorization();
185 | 
186 | app.UseSession();
187 | 
188 | app.MapControllers();
189 | app.MapDefaultControllerRoute();
190 | app.MapRazorPages();
191 | 
192 | app.Run();
193 | 


--------------------------------------------------------------------------------
/IdentityProvider/Properties/launchSettings.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "profiles": {
 3 |     "OpeniddictServer": {
 4 |       "commandName": "Project",
 5 |       "launchBrowser": true,
 6 |       "environmentVariables": {
 7 |         "ASPNETCORE_ENVIRONMENT": "Development",
 8 |         "ASPNETCORE_HOSTINGSTARTUPASSEMBLIES": "Microsoft.AspNetCore.Mvc.Razor.RuntimeCompilation"
 9 |       },
10 |       "applicationUrl": "https://localhost:44318/"
11 |     }
12 |   }
13 | }


--------------------------------------------------------------------------------
/IdentityProvider/ViewModels/Authorization/AuthorizeViewModel.cs:
--------------------------------------------------------------------------------
 1 | using System.ComponentModel.DataAnnotations;
 2 | 
 3 | namespace OpeniddictServer.ViewModels.Authorization;
 4 | 
 5 | public class AuthorizeViewModel
 6 | {
 7 |     [Display(Name = "Application")]
 8 |     public string ApplicationName { get; set; }
 9 | 
10 |     [Display(Name = "Scope")]
11 |     public string Scope { get; set; }
12 | }
13 | 


--------------------------------------------------------------------------------
/IdentityProvider/ViewModels/Shared/ErrorViewModel.cs:
--------------------------------------------------------------------------------
 1 | using System.ComponentModel.DataAnnotations;
 2 | 
 3 | namespace OpeniddictServer.ViewModels.Shared;
 4 | 
 5 | public class ErrorViewModel
 6 | {
 7 |     [Display(Name = "Error")]
 8 |     public string Error { get; set; }
 9 | 
10 |     [Display(Name = "Description")]
11 |     public string ErrorDescription { get; set; }
12 | }
13 | 


--------------------------------------------------------------------------------
/IdentityProvider/Views/Authorization/Authorize.cshtml:
--------------------------------------------------------------------------------
 1 | @using Microsoft.Extensions.Primitives
 2 | @model AuthorizeViewModel
 3 | 
 4 | <div class="jumbotron">
 5 |     <h1>Authorization</h1>
 6 | 
 7 |     <p class="lead text-left">Do you want to grant <strong>@Model.ApplicationName</strong> access to your data? (scopes requested: @Model.Scope)</p>
 8 | 
 9 |     <form asp-controller="Authorization" asp-action="Authorize" method="post">
10 |         @* Flow the request parameters so they can be received by the Accept/Reject actions: *@
11 |         @foreach (var parameter in Context.Request.HasFormContentType ?
12 |             (IEnumerable<KeyValuePair<string, StringValues>>) Context.Request.Form : Context.Request.Query)
13 |         {
14 |             <input type="hidden" name="@parameter.Key" value="@parameter.Value" />
15 |         }
16 | 
17 |         <input class="btn btn-lg btn-success" name="submit.Accept" type="submit" value="Yes" />
18 |         <input class="btn btn-lg btn-danger" name="submit.Deny" type="submit" value="No" />
19 |     </form>
20 | </div>
21 | 


--------------------------------------------------------------------------------
/IdentityProvider/Views/Authorization/Logout.cshtml:
--------------------------------------------------------------------------------
 1 | @using Microsoft.Extensions.Primitives
 2 | 
 3 | <div class="jumbotron">
 4 |     <h1>Log out</h1>
 5 |     <p class="lead text-left">Are you sure you want to sign out?</p>
 6 | 
 7 |     <form asp-controller="Authorization" asp-action="Logout" method="post">
 8 |         @* Flow the request parameters so they can be received by the LogoutPost action: *@
 9 |         @foreach (var parameter in Context.Request.HasFormContentType ?
10 |            (IEnumerable<KeyValuePair<string, StringValues>>) Context.Request.Form : Context.Request.Query)
11 |         {
12 |             <input type="hidden" name="@parameter.Key" value="@parameter.Value" />
13 |         }
14 | 
15 |         <input class="btn btn-lg btn-success" name="Confirm" type="submit" value="Yes" />
16 |     </form>
17 | </div>


--------------------------------------------------------------------------------
/IdentityProvider/Views/Home/Index.cshtml:
--------------------------------------------------------------------------------
1 | @{
2 |     ViewData["Title"] = "Home Page";
3 | }
4 | 
5 | <div class="text-center">
6 |     <h1 class="display-4">Welcome</h1>
7 |     <p>Learn about <a href="https://docs.microsoft.com/aspnet/core">building Web apps with ASP.NET Core</a>.</p>
8 | </div>
9 | 


--------------------------------------------------------------------------------
/IdentityProvider/Views/Home/Privacy.cshtml:
--------------------------------------------------------------------------------
1 | @{
2 |     ViewData["Title"] = "Privacy Policy";
3 | }
4 | <h1>@ViewData["Title"]</h1>
5 | 
6 | <p>Use this page to detail your site's privacy policy.</p>
7 | 


--------------------------------------------------------------------------------
/IdentityProvider/Views/Shared/Error.cshtml:
--------------------------------------------------------------------------------
 1 | @model ErrorViewModel
 2 |     
 3 | <div class="jumbotron">
 4 |     <h2>Ooooops, something went really bad! :(</h2>
 5 |     <p class="lead text-left">
 6 |         @if (!string.IsNullOrEmpty(Model.Error)) {
 7 |             <strong>@Model.Error</strong>
 8 |         }
 9 | 
10 |         @if (!string.IsNullOrEmpty(Model.ErrorDescription)) {
11 |             <small>@Model.ErrorDescription</small>
12 |         }
13 |     </p>
14 | </div>


--------------------------------------------------------------------------------
/IdentityProvider/Views/Shared/_Layout.cshtml:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |     <meta charset="utf-8" />
 5 |     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
 6 |     <title>@ViewData["Title"] - IdentityProvider</title>
 7 |     <script type="text/javascript" src="https://cdn.jsdelivr.net/npm/sweetalert2"></script>
 8 |     <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/limonte-sweetalert2/6.10.1/sweetalert2.min.css" />
 9 |     <link rel="stylesheet" href="~/lib/bootstrap/dist/css/bootstrap.min.css" />
10 |     <link rel="stylesheet" href="~/css/site.css" />
11 |     <link rel="stylesheet" href="~/IdentityProvider.styles.css" asp-append-version="true" />
12 | </head>
13 | <body>
14 |     <header>
15 |         <nav class="navbar navbar-expand-sm navbar-toggleable-sm navbar-light bg-white border-bottom box-shadow mb-3">
16 |             <div class="container">
17 |                 <a class="navbar-brand" asp-area="" asp-controller="Home" asp-action="Index">IdentityProvider</a>
18 |                 <button class="navbar-toggler" type="button" data-toggle="collapse" data-target=".navbar-collapse" aria-controls="navbarSupportedContent"
19 |                         aria-expanded="false" aria-label="Toggle navigation">
20 |                     <span class="navbar-toggler-icon"></span>
21 |                 </button>
22 |                 <div class="navbar-collapse collapse d-sm-inline-flex justify-content-between">
23 |                     <ul class="navbar-nav flex-grow-1">
24 |                         <li class="nav-item">
25 |                             <a class="nav-link text-dark" asp-area="" asp-controller="Home" asp-action="Index">Home</a>
26 |                         </li>
27 |                         <li class="nav-item">
28 |                             <a class="nav-link text-dark" asp-area="" asp-controller="Home" asp-action="Privacy">Privacy</a>
29 |                         </li>
30 |                     </ul>
31 |                     <partial name="_LoginPartial" />
32 |                 </div>
33 |             </div>
34 |         </nav>
35 |     </header>
36 |     <div class="container">
37 |         <main role="main" class="pb-3">
38 |             @RenderBody()
39 |         </main>
40 |     </div>
41 | 
42 |     <footer class="border-top footer text-muted">
43 |         <div class="container">
44 |             &copy; 2024 - OpenIddict Server - <a asp-area="" asp-controller="Home" asp-action="Privacy">Privacy</a>
45 |         </div>
46 |     </footer>
47 |     <script src="~/lib/jquery/dist/jquery.min.js"></script>
48 |     <script src="~/lib/bootstrap/dist/js/bootstrap.bundle.min.js"></script>
49 | 
50 |     <script src="~/js/site.js" asp-append-version="true"></script>
51 | 
52 |     @await RenderSectionAsync("Scripts", required: false)
53 | </body>
54 | </html>
55 | 


--------------------------------------------------------------------------------
/IdentityProvider/Views/Shared/_Layout.cshtml.css:
--------------------------------------------------------------------------------
 1 | /* Please see documentation at https://learn.microsoft.com/aspnet/core/client-side/bundling-and-minification
 2 | for details on configuring this project to bundle and minify static web assets. */
 3 | 
 4 | a.navbar-brand {
 5 |   white-space: normal;
 6 |   text-align: center;
 7 |   word-break: break-all;
 8 | }
 9 | 
10 | a {
11 |   color: #0077cc;
12 | }
13 | 
14 | .btn-primary {
15 |   color: #fff;
16 |   background-color: #1b6ec2;
17 |   border-color: #1861ac;
18 | }
19 | 
20 | .nav-pills .nav-link.active, .nav-pills .show > .nav-link {
21 |   color: #fff;
22 |   background-color: #1b6ec2;
23 |   border-color: #1861ac;
24 | }
25 | 
26 | .border-top {
27 |   border-top: 1px solid #e5e5e5;
28 | }
29 | .border-bottom {
30 |   border-bottom: 1px solid #e5e5e5;
31 | }
32 | 
33 | .box-shadow {
34 |   box-shadow: 0 .25rem .75rem rgba(0, 0, 0, .05);
35 | }
36 | 
37 | button.accept-policy {
38 |   font-size: 1rem;
39 |   line-height: inherit;
40 | }
41 | 
42 | .footer {
43 |   position: absolute;
44 |   bottom: 0;
45 |   width: 100%;
46 |   white-space: nowrap;
47 |   line-height: 60px;
48 | }
49 | 


--------------------------------------------------------------------------------
/IdentityProvider/Views/Shared/_LoginPartial.cshtml:
--------------------------------------------------------------------------------
 1 | @using Microsoft.AspNetCore.Identity
 2 | @inject SignInManager<ApplicationUser> SignInManager
 3 | @inject UserManager<ApplicationUser> UserManager
 4 | 
 5 | <ul class="navbar-nav">
 6 | @if (SignInManager.IsSignedIn(User))
 7 | {
 8 |     <li class="nav-item">
 9 |         <a  class="nav-link text-dark" asp-area="Identity" asp-page="/Account/Manage/Index" title="Manage">Hello @User.Identity!.Name!</a>
10 |     </li>
11 |     <li class="nav-item">
12 |         <form  class="form-inline" asp-area="Identity" asp-page="/Account/Logout" asp-route-returnUrl="@Url.Action("Index", "Home", new { area = "" })">
13 |             <button  type="submit" class="nav-link btn btn-link text-dark">Logout</button>
14 |         </form>
15 |     </li>
16 | }
17 | else
18 | {
19 |     <li class="nav-item">
20 |         <a class="nav-link text-dark" asp-area="Identity" asp-page="/Account/Register">Register</a>
21 |     </li>
22 |     <li class="nav-item">
23 |         <a class="nav-link text-dark" asp-area="Identity" asp-page="/Account/Login">Login</a>
24 |     </li>
25 | }
26 | </ul>
27 | 


--------------------------------------------------------------------------------
/IdentityProvider/Views/_ViewImports.cshtml:
--------------------------------------------------------------------------------
1 | @using OpeniddictServer
2 | @using OpeniddictServer.Data
3 | @using OpeniddictServer.ViewModels.Authorization
4 | @using OpeniddictServer.ViewModels.Shared
5 | @addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers
6 | 


--------------------------------------------------------------------------------
/IdentityProvider/Views/_ViewStart.cshtml:
--------------------------------------------------------------------------------
1 | @{
2 |     Layout = "_Layout";
3 | }
4 | 


--------------------------------------------------------------------------------
/IdentityProvider/Worker.cs:
--------------------------------------------------------------------------------
  1 | using OpenIddict.Abstractions;
  2 | using OpeniddictServer.Data;
  3 | using System.Globalization;
  4 | using static OpenIddict.Abstractions.OpenIddictConstants;
  5 | 
  6 | namespace OpeniddictServer;
  7 | 
  8 | public class Worker : IHostedService
  9 | {
 10 |     private readonly IServiceProvider _serviceProvider;
 11 | 
 12 |     public Worker(IServiceProvider serviceProvider)
 13 |         => _serviceProvider = serviceProvider;
 14 | 
 15 |     public async Task StartAsync(CancellationToken cancellationToken)
 16 |     {
 17 |         using var scope = _serviceProvider.CreateScope();
 18 | 
 19 |         var context = scope.ServiceProvider.GetRequiredService<ApplicationDbContext>();
 20 |         await context.Database.EnsureCreatedAsync(cancellationToken);
 21 | 
 22 |         await RegisterApplicationsAsync(scope.ServiceProvider);
 23 |         await RegisterScopesAsync(scope.ServiceProvider);
 24 | 
 25 |         static async Task RegisterApplicationsAsync(IServiceProvider provider)
 26 |         {
 27 |             var manager = provider.GetRequiredService<IOpenIddictApplicationManager>();
 28 | 
 29 |             // API delegated with introspection or CC
 30 |             if (await manager.FindByClientIdAsync("rs_dataEventRecordsApi") == null)
 31 |             {
 32 |                 var descriptor = new OpenIddictApplicationDescriptor
 33 |                 {
 34 |                     ClientId = "rs_dataEventRecordsApi",
 35 |                     ClientSecret = "dataEventRecordsSecret",
 36 |                     Permissions =
 37 |                     {
 38 |                         Permissions.Endpoints.Introspection,
 39 |                     }
 40 |                 };
 41 | 
 42 |                 await manager.CreateAsync(descriptor);
 43 |             }
 44 | 
 45 |             // API application CC
 46 |             if (await manager.FindByClientIdAsync("CC") == null)
 47 |             {
 48 |                 await manager.CreateAsync(new OpenIddictApplicationDescriptor
 49 |                 {
 50 |                     ClientId = "CC",
 51 |                     ClientSecret = "cc_secret",
 52 |                     DisplayName = "CC for protected API",
 53 |                     Permissions =
 54 |                     {
 55 |                         Permissions.Endpoints.Authorization,
 56 |                         Permissions.Endpoints.Token,
 57 |                         Permissions.GrantTypes.ClientCredentials,
 58 |                         Permissions.Prefixes.Scope + "dataEventRecords"
 59 |                     }
 60 |                 });
 61 |             }
 62 | 
 63 |             // OIDC Code flow confidential client
 64 |             if (await manager.FindByClientIdAsync("oidc-pkce-confidential") is null)
 65 |             {
 66 |                 await manager.CreateAsync(new OpenIddictApplicationDescriptor
 67 |                 {
 68 |                     ClientId = "oidc-pkce-confidential",
 69 |                     ConsentType = ConsentTypes.Explicit,
 70 |                     DisplayName = "OIDC confidential Code Flow PKCE",
 71 |                     DisplayNames =
 72 |                     {
 73 |                         [CultureInfo.GetCultureInfo("fr-FR")] = "Application cliente MVC"
 74 |                     },
 75 |                     PostLogoutRedirectUris =
 76 |                     {
 77 |                         new Uri("https://localhost:44360/signout-callback-oidc"),
 78 |                         new Uri("https://localhost:5001/signout-callback-oidc")
 79 |                     },
 80 |                     RedirectUris =
 81 |                     {
 82 |                         new Uri("https://localhost:44360/signin-oidc"),
 83 |                         new Uri("https://localhost:5001/signin-oidc")
 84 |                     },
 85 |                     ClientSecret = "oidc-pkce-confidential_secret",
 86 |                     Permissions =
 87 |                     {
 88 |                         Permissions.Endpoints.Authorization,
 89 |                         Permissions.Endpoints.EndSession,
 90 |                         Permissions.Endpoints.Token,
 91 |                         Permissions.Endpoints.Revocation,
 92 |                         Permissions.GrantTypes.AuthorizationCode,
 93 |                         Permissions.GrantTypes.RefreshToken,
 94 |                         Permissions.ResponseTypes.Code,
 95 |                         Permissions.Scopes.Email,
 96 |                         Permissions.Scopes.Profile,
 97 |                         Permissions.Scopes.Roles,
 98 |                         Permissions.Prefixes.Scope + "dataEventRecords"
 99 |                     },
100 |                     Requirements =
101 |                     {
102 |                         Requirements.Features.ProofKeyForCodeExchange
103 |                     }
104 |                 });
105 |             }
106 |         }
107 | 
108 |         static async Task RegisterScopesAsync(IServiceProvider provider)
109 |         {
110 |             var manager = provider.GetRequiredService<IOpenIddictScopeManager>();
111 | 
112 |             if (await manager.FindByNameAsync("dataEventRecords") is null)
113 |             {
114 |                 await manager.CreateAsync(new OpenIddictScopeDescriptor
115 |                 {
116 |                     DisplayName = "dataEventRecords API access",
117 |                     DisplayNames =
118 |                     {
119 |                         [CultureInfo.GetCultureInfo("fr-FR")] = "Accès à l'API de démo"
120 |                     },
121 |                     Name = "dataEventRecords",
122 |                     Resources =
123 |                     {
124 |                         "rs_dataEventRecordsApi"
125 |                     }
126 |                 });
127 |             }
128 |         }
129 |     }
130 | 
131 |     public Task StopAsync(CancellationToken cancellationToken) => Task.CompletedTask;
132 | }
133 | 


--------------------------------------------------------------------------------
/IdentityProvider/appsettings.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "ConnectionStrings": {
 3 |     "DefaultConnection": "Data Source=usersdatabase.sqlite"
 4 |   },
 5 |   "Fido2": {
 6 |     "ServerDomain": "localhost",
 7 |     "ServerName": "Fido2OpenIddict",
 8 |     "Origins": [ "https://localhost:44318" ],
 9 |     "TimestampDriftTolerance": 300000,
10 |     "MDSAccessKey": null
11 |   },
12 |   "AllowedHosts": "*"
13 | }
14 | 


--------------------------------------------------------------------------------
/IdentityProvider/usersdatabase.sqlite:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/damienbod/bff-aspnetcore-oidc-vuejs/49526787713d1ffd9df1ee3714bb69201bac4b5b/IdentityProvider/usersdatabase.sqlite


--------------------------------------------------------------------------------
/IdentityProvider/wwwroot/css/site.css:
--------------------------------------------------------------------------------
 1 | html {
 2 |   font-size: 14px;
 3 | }
 4 | 
 5 | @media (min-width: 768px) {
 6 |   html {
 7 |     font-size: 16px;
 8 |   }
 9 | }
10 | 
11 | .btn:focus, .btn:active:focus, .btn-link.nav-link:focus, .form-control:focus, .form-check-input:focus {
12 |   box-shadow: 0 0 0 0.1rem white, 0 0 0 0.25rem #258cfb;
13 | }
14 | 
15 | html {
16 |   position: relative;
17 |   min-height: 100%;
18 | }
19 | 
20 | body {
21 |   margin-bottom: 60px;
22 | }
23 | 
24 | .form-floating > .form-control-plaintext::placeholder, .form-floating > .form-control::placeholder {
25 |   color: var(--bs-secondary-color);
26 |   text-align: end;
27 | }
28 | 
29 | .form-floating > .form-control-plaintext:focus::placeholder, .form-floating > .form-control:focus::placeholder {
30 |   text-align: start;
31 | }


--------------------------------------------------------------------------------
/IdentityProvider/wwwroot/favicon.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/damienbod/bff-aspnetcore-oidc-vuejs/49526787713d1ffd9df1ee3714bb69201bac4b5b/IdentityProvider/wwwroot/favicon.ico


--------------------------------------------------------------------------------
/IdentityProvider/wwwroot/images/securitykey.min.svg:
--------------------------------------------------------------------------------
1 | <svg xmlns="http://www.w3.org/2000/svg" width="783.478" height="321.091" viewBox="0 0 734.51033 301.02249"><g transform="translate(71.951 -314.708)"><rect width="285.714" height="122.857" x="105.714" y="403.791" ry="6" fill="#fff" stroke="#446cb3"/><path fill="#fff" stroke="#446cb3" d="M391.465 416.976h16.162v93.944h-16.162z"/><circle cx="246.429" cy="462.362" r="40" fill="#446cb3" stroke="#446cb3"/><circle r="14.603" cy="463.791" cx="125.714" fill="#fff" stroke="#446cb3"/><path fill="#f9bf3b" fill-opacity=".497" stroke="#f9bf3b" stroke-width="1.223" d="M408.861 428.802h62.991v14.471h-62.991zM408.861 484.958h62.991v14.471h-62.991z"/><path fill="#f9bf3b" fill-opacity=".497" stroke="#f9bf3b" stroke-width="1.078" d="M408.789 447.653h48.493v14.615h-48.493zM408.789 466.106h48.493v14.615h-48.493z"/><path fill="none" stroke="#446cb3" d="M407.784 417.011h77.11v93.943h-77.11z"/><path d="M236.034 451.289a10.094 10.094 0 0 0-10.093 10.094 10.094 10.094 0 0 0 10.093 10.093 10.094 10.094 0 0 0 10.097-10.093 10.094 10.094 0 0 0-10.097-10.094zm0 3.73a6.365 6.365 0 0 1 6.367 6.364 6.365 6.365 0 0 1-6.367 6.364 6.365 6.365 0 0 1-6.364-6.364 6.365 6.365 0 0 1 6.364-6.365z" fill="#fff" stroke="#446cb3" stroke-width=".691"/><path fill="#fff" d="M245.102 459.194h25.987v3.939h-25.987z"/><path fill="#fff" d="M266.719 462.841h2.669v5.463h-2.669zM259.949 462.841h2.669v4.334h-2.669z"/><circle r="40" cy="462.362" cx="246.429" fill="none" stroke="#446cb3"><animate attributeType="SVG" attributeName="r" begin="0s" dur="1.5s" repeatCount="indefinite" from="10%" to="25%"/><animate attributeType="CSS" attributeName="stroke-width" begin="0s" dur="1.5s" repeatCount="indefinite" from="1%" to="0%"/><animate attributeType="CSS" attributeName="opacity" begin="0s" dur="1.5s" repeatCount="indefinite" from="1" to="0"/></circle></g></svg>


--------------------------------------------------------------------------------
/IdentityProvider/wwwroot/images/securitykey.svg:
--------------------------------------------------------------------------------
  1 | <?xml version="1.0" encoding="UTF-8" standalone="no"?>
  2 | <!-- Created with Inkscape (http://www.inkscape.org/) -->
  3 | 
  4 | <svg
  5 |    xmlns:dc="http://purl.org/dc/elements/1.1/"
  6 |    xmlns:cc="http://creativecommons.org/ns#"
  7 |    xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
  8 |    xmlns:svg="http://www.w3.org/2000/svg"
  9 |    xmlns="http://www.w3.org/2000/svg"
 10 |    xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
 11 |    xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
 12 |    width="207.29514mm"
 13 |    height="84.955238mm"
 14 |    viewBox="0 0 734.51033 301.02249"
 15 |    id="svg2"
 16 |    version="1.1"
 17 |    inkscape:version="0.91 r13725"
 18 |    sodipodi:docname="yubico.svg">
 19 |   <defs
 20 |      id="defs4" />
 21 |   <sodipodi:namedview
 22 |      id="base"
 23 |      pagecolor="#ffffff"
 24 |      bordercolor="#666666"
 25 |      borderopacity="1.0"
 26 |      inkscape:pageopacity="0.0"
 27 |      inkscape:pageshadow="2"
 28 |      inkscape:zoom="0.7"
 29 |      inkscape:cx="168.94487"
 30 |      inkscape:cy="103.83617"
 31 |      inkscape:document-units="px"
 32 |      inkscape:current-layer="layer1"
 33 |      showgrid="false"
 34 |      inkscape:window-width="1366"
 35 |      inkscape:window-height="705"
 36 |      inkscape:window-x="-8"
 37 |      inkscape:window-y="-8"
 38 |      inkscape:window-maximized="1"
 39 |      fit-margin-top="25"
 40 |      fit-margin-left="50"
 41 |      fit-margin-right="50"
 42 |      fit-margin-bottom="25" />
 43 |   <metadata
 44 |      id="metadata7">
 45 |     <rdf:RDF>
 46 |       <cc:Work
 47 |          rdf:about="">
 48 |         <dc:format>image/svg+xml</dc:format>
 49 |         <dc:type
 50 |            rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
 51 |         <dc:title></dc:title>
 52 |       </cc:Work>
 53 |     </rdf:RDF>
 54 |   </metadata>
 55 |   <g
 56 |      inkscape:label="Layer 1"
 57 |      inkscape:groupmode="layer"
 58 |      id="layer1"
 59 |      transform="translate(71.951068,-314.70811)">
 60 |     <rect
 61 |        style="fill:#ffffff;fill-opacity:1;stroke:#446cb3;stroke-width:1;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
 62 |        id="rect3336"
 63 |        width="285.71429"
 64 |        height="122.85714"
 65 |        x="105.71429"
 66 |        y="403.79077"
 67 |        ry="6" />
 68 |     <rect
 69 |        style="fill:#ffffff;fill-opacity:1;stroke:#446cb3;stroke-width:1;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
 70 |        id="rect3338"
 71 |        width="16.162441"
 72 |        height="93.944183"
 73 |        x="391.46475"
 74 |        y="416.97626" />
 75 |     <circle
 76 |        style="fill:#446cb3;fill-opacity:1;stroke:#446cb3;stroke-width:1;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
 77 |        id="path4142"
 78 |        cx="246.42857"
 79 |        cy="462.36221"
 80 |        r="40" />
 81 |     <circle
 82 |        r="14.603174"
 83 |        cy="463.79077"
 84 |        cx="125.71429"
 85 |        id="circle4144"
 86 |        style="fill:#ffffff;fill-opacity:1;stroke:#446cb3;stroke-width:1;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
 87 |     <rect
 88 |        style="fill:#f9bf3b;fill-opacity:0.49704147;stroke:#f9bf3b;stroke-width:1.22285771;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
 89 |        id="rect4146"
 90 |        width="62.991428"
 91 |        height="14.470762"
 92 |        x="408.86142"
 93 |        y="428.8024" />
 94 |     <rect
 95 |        y="484.95779"
 96 |        x="408.86142"
 97 |        height="14.470762"
 98 |        width="62.991428"
 99 |        id="rect4148"
100 |        style="fill:#f9bf3b;fill-opacity:0.49704147;stroke:#f9bf3b;stroke-width:1.22285771;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
101 |     <rect
102 |        y="447.65253"
103 |        x="408.78912"
104 |        height="14.615334"
105 |        width="48.493141"
106 |        id="rect4150"
107 |        style="fill:#f9bf3b;fill-opacity:0.49704147;stroke:#f9bf3b;stroke-width:1.07828617;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
108 |     <rect
109 |        style="fill:#f9bf3b;fill-opacity:0.49704147;stroke:#f9bf3b;stroke-width:1.07828617;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
110 |        id="rect4152"
111 |        width="48.493141"
112 |        height="14.615335"
113 |        x="408.78912"
114 |        y="466.10574" />
115 |     <rect
116 |        y="417.01102"
117 |        x="407.784"
118 |        height="93.943275"
119 |        width="77.109886"
120 |        id="rect4140"
121 |        style="fill:none;fill-opacity:1;stroke:#446cb3;stroke-width:1;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
122 |     <path
123 |        inkscape:connector-curvature="0"
124 |        style="fill:#ffffff;fill-opacity:1;stroke:#446cb3;stroke-width:0.69124842;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
125 |        d="m 236.03445,451.28886 a 10.094421,10.094421 0 0 0 -10.09367,10.09367 10.094421,10.094421 0 0 0 10.09367,10.09368 10.094421,10.094421 0 0 0 10.09622,-10.09368 10.094421,10.094421 0 0 0 -10.09622,-10.09367 z m 0,3.72928 a 6.3652119,6.3652119 0 0 1 6.36694,6.36439 6.3652119,6.3652119 0 0 1 -6.36694,6.3644 6.3652119,6.3652119 0 0 1 -6.36439,-6.3644 6.3652119,6.3652119 0 0 1 6.36439,-6.36439 z"
126 |        id="circle4154" />
127 |     <rect
128 |        style="fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:1;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
129 |        id="rect4156"
130 |        width="25.986658"
131 |        height="3.9389563"
132 |        x="245.10188"
133 |        y="459.19366" />
134 |     <rect
135 |        style="fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:1;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
136 |        id="rect4158"
137 |        width="2.66921"
138 |        height="5.4627204"
139 |        x="266.71918"
140 |        y="462.84055" />
141 |     <rect
142 |        y="462.84055"
143 |        x="259.9491"
144 |        height="4.3343735"
145 |        width="2.66921"
146 |        id="rect4160"
147 |        style="fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:1;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1" />
148 |     <circle
149 |        r="40"
150 |        cy="462.36221"
151 |        cx="246.42857"
152 |        id="circle4155"
153 |        style="fill:none;fill-opacity:1;stroke:#446cb3;stroke-width:1;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1">
154 |        <animate attributeType="SVG" attributeName="r" begin="0s" dur="1.5s" repeatCount="indefinite" from="10%" to="25%"/>
155 |               <animate attributeType="CSS" attributeName="stroke-width" begin="0s"  dur="1.5s" repeatCount="indefinite" from="1%" to="0%" />
156 |               <animate attributeType="CSS" attributeName="opacity" begin="0s"  dur="1.5s" repeatCount="indefinite" from="1" to="0"/>
157 |        </circle>
158 |   </g>
159 | </svg>
160 | 


--------------------------------------------------------------------------------
/IdentityProvider/wwwroot/js/helpers.js:
--------------------------------------------------------------------------------
  1 | coerceToArrayBuffer = function (thing, name) {
  2 |     if (typeof thing === "string") {
  3 |         // base64url to base64
  4 |         thing = thing.replace(/-/g, "+").replace(/_/g, "/");
  5 | 
  6 |         // base64 to Uint8Array
  7 |         var str = window.atob(thing);
  8 |         var bytes = new Uint8Array(str.length);
  9 |         for (var i = 0; i < str.length; i++) {
 10 |             bytes[i] = str.charCodeAt(i);
 11 |         }
 12 |         thing = bytes;
 13 |     }
 14 | 
 15 |     // Array to Uint8Array
 16 |     if (Array.isArray(thing)) {
 17 |         thing = new Uint8Array(thing);
 18 |     }
 19 | 
 20 |     // Uint8Array to ArrayBuffer
 21 |     if (thing instanceof Uint8Array) {
 22 |         thing = thing.buffer;
 23 |     }
 24 | 
 25 |     // error if none of the above worked
 26 |     if (!(thing instanceof ArrayBuffer)) {
 27 |         throw new TypeError("could not coerce '" + name + "' to ArrayBuffer");
 28 |     }
 29 | 
 30 |     return thing;
 31 | };
 32 | 
 33 | 
 34 | coerceToBase64Url = function (thing) {
 35 |     // Array or ArrayBuffer to Uint8Array
 36 |     if (Array.isArray(thing)) {
 37 |         thing = Uint8Array.from(thing);
 38 |     }
 39 | 
 40 |     if (thing instanceof ArrayBuffer) {
 41 |         thing = new Uint8Array(thing);
 42 |     }
 43 | 
 44 |     // Uint8Array to base64
 45 |     if (thing instanceof Uint8Array) {
 46 |         var str = "";
 47 |         var len = thing.byteLength;
 48 | 
 49 |         for (var i = 0; i < len; i++) {
 50 |             str += String.fromCharCode(thing[i]);
 51 |         }
 52 |         thing = window.btoa(str);
 53 |     }
 54 | 
 55 |     if (typeof thing !== "string") {
 56 |         throw new Error("could not coerce to string");
 57 |     }
 58 | 
 59 |     // base64 to base64url
 60 |     // NOTE: "=" at the end of challenge is optional, strip it off here
 61 |     thing = thing.replace(/\+/g, "-").replace(/\//g, "_").replace(/=*$/g, "");
 62 | 
 63 |     return thing;
 64 | };
 65 | 
 66 | 
 67 | 
 68 | // HELPERS
 69 | 
 70 | function showErrorAlert(message, error) {
 71 |     let footermsg = '';
 72 |     if (error) {
 73 |         footermsg = 'exception:' + error.toString();
 74 |     }
 75 |     Swal.fire({
 76 |         //type: 'error',
 77 |         title: 'Error',
 78 |         text: message,
 79 |         footer: footermsg
 80 |         //footer: '<a href>Why do I have this issue?</a>'
 81 |     })
 82 | }
 83 | 
 84 | function detectFIDOSupport() {
 85 |     if (window.PublicKeyCredential === undefined ||
 86 |         typeof window.PublicKeyCredential !== "function") {
 87 |         //$('#register-button').attr("disabled", true);
 88 |         //$('#login-button').attr("disabled", true);
 89 |         var el = document.getElementById("notSupportedWarning");
 90 |         if (el) {
 91 |             el.style.display = 'block';
 92 |         }
 93 |         return;
 94 |     }
 95 | }
 96 | 
 97 | /**
 98 |  * 
 99 |  * Get a form value
100 |  * @param {any} selector
101 |  */
102 | function value(selector) {
103 |     var el = document.querySelector(selector);
104 |     if (el.type === "checkbox") {
105 |         return el.checked;
106 |     }
107 |     return el.value;
108 | }


--------------------------------------------------------------------------------
/IdentityProvider/wwwroot/js/instant.js:
--------------------------------------------------------------------------------
  1 | /*! instant.page v1.1.0 - (C) 2019 Alexandre Dieulot - https://instant.page/license */
  2 | 
  3 | let urlToPreload
  4 | let mouseoverTimer
  5 | let lastTouchTimestamp
  6 | 
  7 | const prefetcher = document.createElement('link')
  8 | const isSupported = prefetcher.relList && prefetcher.relList.supports && prefetcher.relList.supports('prefetch')
  9 | const allowQueryString = 'instantAllowQueryString' in document.body.dataset
 10 | 
 11 | if (isSupported) {
 12 |     prefetcher.rel = 'prefetch'
 13 |     document.head.appendChild(prefetcher)
 14 | 
 15 |     const eventListenersOptions = {
 16 |         capture: true,
 17 |         passive: true,
 18 |     }
 19 |     document.addEventListener('touchstart', touchstartListener, eventListenersOptions)
 20 |     document.addEventListener('mouseover', mouseoverListener, eventListenersOptions)
 21 | }
 22 | 
 23 | function touchstartListener(event) {
 24 |     /* Chrome on Android calls mouseover before touchcancel so `lastTouchTimestamp`
 25 |      * must be assigned on touchstart to be measured on mouseover. */
 26 |     lastTouchTimestamp = performance.now()
 27 | 
 28 |     const linkElement = event.target.closest('a')
 29 | 
 30 |     if (!linkElement) {
 31 |         return
 32 |     }
 33 | 
 34 |     if (!isPreloadable(linkElement)) {
 35 |         return
 36 |     }
 37 | 
 38 |     linkElement.addEventListener('touchcancel', touchendAndTouchcancelListener, { passive: true })
 39 |     linkElement.addEventListener('touchend', touchendAndTouchcancelListener, { passive: true })
 40 | 
 41 |     urlToPreload = linkElement.href
 42 |     preload(linkElement.href)
 43 | }
 44 | 
 45 | function touchendAndTouchcancelListener() {
 46 |     urlToPreload = undefined
 47 |     stopPreloading()
 48 | }
 49 | 
 50 | function mouseoverListener(event) {
 51 |     if (performance.now() - lastTouchTimestamp < 1100) {
 52 |         return
 53 |     }
 54 | 
 55 |     const linkElement = event.target.closest('a')
 56 | 
 57 |     if (!linkElement) {
 58 |         return
 59 |     }
 60 | 
 61 |     if (!isPreloadable(linkElement)) {
 62 |         return
 63 |     }
 64 | 
 65 |     linkElement.addEventListener('mouseout', mouseoutListener, { passive: true })
 66 | 
 67 |     urlToPreload = linkElement.href
 68 | 
 69 |     mouseoverTimer = setTimeout(() => {
 70 |         preload(linkElement.href)
 71 |         mouseoverTimer = undefined
 72 |     }, 65)
 73 | }
 74 | 
 75 | function mouseoutListener(event) {
 76 |     if (event.relatedTarget && event.target.closest('a') == event.relatedTarget.closest('a')) {
 77 |         return
 78 |     }
 79 | 
 80 |     if (mouseoverTimer) {
 81 |         clearTimeout(mouseoverTimer)
 82 |         mouseoverTimer = undefined
 83 |     }
 84 |     else {
 85 |         urlToPreload = undefined
 86 |         stopPreloading()
 87 |     }
 88 | }
 89 | 
 90 | function isPreloadable(linkElement) {
 91 |     if (urlToPreload == linkElement.href) {
 92 |         return
 93 |     }
 94 | 
 95 |     const urlObject = new URL(linkElement.href)
 96 | 
 97 |     if (urlObject.origin != location.origin) {
 98 |         return
 99 |     }
100 | 
101 |     if (!allowQueryString && urlObject.search && !('instant' in linkElement.dataset)) {
102 |         return
103 |     }
104 | 
105 |     if (urlObject.hash && urlObject.pathname + urlObject.search == location.pathname + location.search) {
106 |         return
107 |     }
108 | 
109 |     if ('noInstant' in linkElement.dataset) {
110 |         return
111 |     }
112 | 
113 |     return true
114 | }
115 | 
116 | function preload(url) {
117 |     prefetcher.href = url
118 | }
119 | 
120 | function stopPreloading() {
121 |     /* The spec says an empty string should abort the prefetching
122 |     * but Firefox 64 interprets it as a relative URL to prefetch. */
123 |     prefetcher.removeAttribute('href')
124 | }
125 | 


--------------------------------------------------------------------------------
/IdentityProvider/wwwroot/js/mfa.login.js:
--------------------------------------------------------------------------------
  1 | //document.getElementById('signin').addEventListener('click', handleSignInSubmit);
  2 | 
  3 | window.onload = function () {
  4 |     handleSignInSubmit();
  5 | };
  6 | 
  7 | async function handleSignInSubmit(event) {
  8 |     //event.preventDefault();
  9 | 
 10 |     //let username = this.username.value;
 11 |     // passwordfield is omitted in demo
 12 |     // let password = this.password.value;
 13 |     // prepare form post data
 14 |     var formData = new FormData();
 15 |     //formData.append('username', username);
 16 |     // not done in demo
 17 |     // todo: validate username + password with server (has nothing to do with FIDO2/WebAuthn)
 18 | 
 19 |     // send to server for registering
 20 |     let makeAssertionOptions;
 21 |     try {
 22 |         var res = await fetch('/mfaassertionOptions', {
 23 |             method: 'POST', // or 'PUT'
 24 |             body: formData, // data can be `string` or {object}!
 25 |             headers: {
 26 |                 'Accept': 'application/json',
 27 |                 'RequestVerificationToken': document.getElementById('RequestVerificationToken').value
 28 |             }
 29 |         });
 30 | 
 31 |         makeAssertionOptions = await res.json();
 32 |     } catch (e) {
 33 |         showErrorAlert("Request to server failed", e);
 34 |     }
 35 | 
 36 |     //console.log("Assertion Options Object", makeAssertionOptions);
 37 | 
 38 |     // show options error to user
 39 |     if (makeAssertionOptions.status !== "ok") {
 40 |         console.log("Error creating assertion options");
 41 |         console.log(makeAssertionOptions.errorMessage);
 42 |         showErrorAlert(makeAssertionOptions.errorMessage);
 43 |         return;
 44 |     }
 45 | 
 46 |     // todo: switch this to coercebase64
 47 |     const challenge = makeAssertionOptions.challenge.replace(/-/g, "+").replace(/_/g, "/");
 48 |     makeAssertionOptions.challenge = Uint8Array.from(atob(challenge), c => c.charCodeAt(0));
 49 | 
 50 |     // fix escaping. Change this to coerce
 51 |     makeAssertionOptions.allowCredentials.forEach(function (listItem) {
 52 |         var fixedId = listItem.id.replace(/\_/g, "/").replace(/\-/g, "+");
 53 |         listItem.id = Uint8Array.from(atob(fixedId), c => c.charCodeAt(0));
 54 |     });
 55 | 
 56 |     //console.log("Assertion options", makeAssertionOptions);
 57 | 
 58 |     const fido2TapKeyToLogin = document.getElementById('fido2TapKeyToLogin').innerText;
 59 |     document.getElementById('fido2logindisplay').innerHTML += '<br><b>' + fido2TapKeyToLogin + '</b><img src = "/images/securitykey.min.svg" alt = "fido login" />';
 60 | 
 61 |     //Swal.fire({
 62 |     //    title: 'Logging In...',
 63 |     //    text: 'Tap your security key to login.',
 64 |     //    imageUrl: "/images/securitykey.min.svg",
 65 |     //    showCancelButton: true,
 66 |     //    showConfirmButton: false,
 67 |     //    focusConfirm: false,
 68 |     //    focusCancel: false
 69 |     //});
 70 | 
 71 |     // ask browser for credentials (browser will ask connected authenticators)
 72 |     let credential;
 73 |     try {
 74 |         credential = await navigator.credentials.get({ publicKey: makeAssertionOptions });
 75 |     } catch (err) {
 76 |         document.getElementById('fido2logindisplay').innerHTML = '';
 77 |         showErrorAlert(err.message ? err.message : err);
 78 |     }
 79 | 
 80 |     //document.getElementById('fido2logindisplay').innerHTML = '<p>Processing</p>';
 81 | 
 82 |     try {
 83 |         await verifyAssertionWithServer(credential);
 84 |     } catch (e) {
 85 |         document.getElementById('fido2logindisplay').innerHTML = '';
 86 |         const fido2CouldNotVerifyAssertion = document.getElementById('fido2CouldNotVerifyAssertion').innerText;
 87 |         showErrorAlert(fido2CouldNotVerifyAssertion, e);
 88 |     }
 89 | }
 90 | 
 91 | async function verifyAssertionWithServer(assertedCredential) {
 92 |     // Move data into Arrays incase it is super long
 93 |     let authData = new Uint8Array(assertedCredential.response.authenticatorData);
 94 |     let clientDataJSON = new Uint8Array(assertedCredential.response.clientDataJSON);
 95 |     let rawId = new Uint8Array(assertedCredential.rawId);
 96 |     let sig = new Uint8Array(assertedCredential.response.signature);
 97 |     let userHandle = new Uint8Array(assertedCredential.response.userHandle);
 98 |     const data = {
 99 |         id: assertedCredential.id,
100 |         rawId: coerceToBase64Url(rawId),
101 |         type: assertedCredential.type,
102 |         extensions: assertedCredential.getClientExtensionResults(),
103 |         response: {
104 |             authenticatorData: coerceToBase64Url(authData),
105 |             clientDataJson: coerceToBase64Url(clientDataJSON),
106 |             //userHandle: userHandle !== null ? coerceToBase64Url(userHandle) : null,
107 |             signature: coerceToBase64Url(sig)
108 |         }
109 |     };
110 | 
111 |     let response;
112 |     try {
113 |         let res = await fetch("/mfamakeAssertion", {
114 |             method: 'POST', // or 'PUT'
115 |             body: JSON.stringify(data), // data can be `string` or {object}!
116 |             headers: {
117 |                 'Accept': 'application/json',
118 |                 'Content-Type': 'application/json',
119 |                 'RequestVerificationToken': document.getElementById('RequestVerificationToken').value
120 |             }
121 |         });
122 | 
123 |         response = await res.json();
124 |     } catch (e) {
125 |         showErrorAlert("Request to server failed", e);
126 |         throw e;
127 |     }
128 | 
129 |     //console.log("Assertion Object", response);
130 | 
131 |     // show error
132 |     if (response.status !== "ok") {
133 |         console.log("Error doing assertion");
134 |         console.log(response.errorMessage);
135 |         document.getElementById('fido2logindisplay').innerHTML = '';
136 |         showErrorAlert(response.errorMessage);
137 |         return;
138 |     }
139 | 
140 |     //document.getElementById('fido2logindisplay').innerHTML = '<p>Logged In!</p>';
141 | 
142 |     // show success message
143 |     //await Swal.fire({
144 |     //    title: 'Logged In!',
145 |     //    text: 'You\'re logged in successfully.',
146 |     //    //type: 'success',
147 |     //    timer: 2000
148 |     //});
149 |     let fido2ReturnUrl = document.getElementById('fido2ReturnUrl').innerText;
150 |     if (!fido2ReturnUrl) {
151 |         fido2ReturnUrl = "/";
152 |     }
153 |     window.location.href = fido2ReturnUrl;
154 | }
155 | 


--------------------------------------------------------------------------------
/IdentityProvider/wwwroot/js/mfa.register.js:
--------------------------------------------------------------------------------
  1 | document.getElementById('register').addEventListener('submit', handleRegisterSubmit);
  2 | 
  3 | async function handleRegisterSubmit(event) {
  4 |     event.preventDefault();
  5 | 
  6 |     let username = this.username.value;
  7 |     //let displayName = this.displayName.value;
  8 |     // passwordfield is omitted in demo
  9 |     // let password = this.password.value;
 10 |     // possible values: none, direct, indirect
 11 |     let attestation_type = "none";
 12 |     // possible values: <empty>, platform, cross-platform
 13 |     let authenticator_attachment = "";
 14 |     // possible values: preferred, required, discouraged
 15 |     let user_verification = "preferred";
 16 |     // possible values: true,false
 17 |     let require_resident_key = false;
 18 |     // prepare form post data
 19 |     var data = new FormData();
 20 |     data.append('username', username);
 21 |    // data.append('displayName', displayName);
 22 |     data.append('attType', attestation_type);
 23 |     data.append('authType', authenticator_attachment);
 24 |     data.append('userVerification', user_verification);
 25 |     data.append('requireResidentKey', require_resident_key);
 26 | 
 27 |     // send to server for registering
 28 |     let makeCredentialOptions;
 29 |     try {
 30 |         makeCredentialOptions = await fetchMakeCredentialOptions(data);
 31 | 
 32 |     } catch (e) {
 33 |         console.error(e);
 34 |         let msg = "Something wen't really wrong";
 35 |         showErrorAlert(msg);
 36 |     }
 37 | 
 38 |     //console.log("Credential Options Object", makeCredentialOptions);
 39 | 
 40 |     if (makeCredentialOptions.status !== "ok") {
 41 |         console.log("Error creating credential options");
 42 |         console.log(makeCredentialOptions.errorMessage);
 43 |         showErrorAlert(makeCredentialOptions.errorMessage);
 44 |         return;
 45 |     }
 46 | 
 47 |     // Turn the challenge back into the accepted format of padded base64
 48 |     makeCredentialOptions.challenge = coerceToArrayBuffer(makeCredentialOptions.challenge);
 49 |     // Turn ID into a UInt8Array Buffer for some reason
 50 |     makeCredentialOptions.user.id = coerceToArrayBuffer(makeCredentialOptions.user.id);
 51 | 
 52 |     makeCredentialOptions.excludeCredentials = makeCredentialOptions.excludeCredentials.map((c) => {
 53 |         c.id = coerceToArrayBuffer(c.id);
 54 |         return c;
 55 |     });
 56 | 
 57 |     if (makeCredentialOptions.authenticatorSelection.authenticatorAttachment === null) {
 58 |         makeCredentialOptions.authenticatorSelection.authenticatorAttachment = undefined;
 59 |     }
 60 | 
 61 |     //console.log("Credential Options Formatted", makeCredentialOptions);
 62 | 
 63 |     const fido2TapYourSecurityKeyToFinishRegistration = document.getElementById('fido2TapYourSecurityKeyToFinishRegistration').innerText;
 64 |     document.getElementById('fido2mfadisplay').innerHTML += '<br><b>' + fido2TapYourSecurityKeyToFinishRegistration +'</b><img src = "/images/securitykey.min.svg" alt = "fido login" />';
 65 | 
 66 |     //Swal.fire({
 67 |     //    title: 'Registering...',
 68 |     //    text: 'Tap your security key to finish registration.',
 69 |     //    imageUrl: "/images/securitykey.min.svg",
 70 |     //    showCancelButton: true,
 71 |     //    showConfirmButton: false,
 72 |     //    focusConfirm: false,
 73 |     //    focusCancel: false
 74 |     //});
 75 | 
 76 |     //console.log("Creating PublicKeyCredential...");
 77 |     //console.log(navigator);
 78 |     //console.log(navigator.credentials);
 79 |     //console.log(makeCredentialOptions);
 80 |     let newCredential;
 81 |     try {
 82 |         newCredential = await navigator.credentials.create({
 83 |             publicKey: makeCredentialOptions
 84 |         });
 85 |     } catch (e) {
 86 |         const fido2RegistrationError = document.getElementById('fido2RegistrationError').innerText;
 87 |         console.error(fido2RegistrationError, e);
 88 |         document.getElementById('fido2mfadisplay').innerHTML = '';
 89 |         showErrorAlert(fido2RegistrationError, e);
 90 |     }
 91 | 
 92 |     console.log("PublicKeyCredential Created", newCredential);
 93 | 
 94 |     try {
 95 |         registerNewCredential(newCredential);
 96 | 
 97 |     } catch (e) {
 98 |         showErrorAlert(err.message ? err.message : err);
 99 |     }
100 | }
101 | 
102 | async function fetchMakeCredentialOptions(formData) {
103 |     let response = await fetch('/mfamakeCredentialOptions', {
104 |         method: 'POST', // or 'PUT'
105 |         body: formData, // data can be `string` or {object}!
106 |         headers: {
107 |             'Accept': 'application/json',
108 |             'RequestVerificationToken': document.getElementById('RequestVerificationToken').value
109 |         }
110 |     });
111 | 
112 |     let data = await response.json();
113 | 
114 |     return data;
115 | }
116 | 
117 | // This should be used to verify the auth data with the server
118 | async function registerNewCredential(newCredential) {
119 |     // Move data into Arrays incase it is super long
120 |     let attestationObject = new Uint8Array(newCredential.response.attestationObject);
121 |     let clientDataJSON = new Uint8Array(newCredential.response.clientDataJSON);
122 |     let rawId = new Uint8Array(newCredential.rawId);
123 | 
124 |     const data = {
125 |         id: newCredential.id,
126 |         rawId: coerceToBase64Url(rawId),
127 |         type: newCredential.type,
128 |         extensions: newCredential.getClientExtensionResults(),
129 |         response: {
130 |             AttestationObject: coerceToBase64Url(attestationObject),
131 |             clientDataJson: coerceToBase64Url(clientDataJSON)
132 |         }
133 |     };
134 | 
135 |     let response;
136 |     try {
137 |         response = await registerCredentialWithServer(data);
138 |     } catch (e) {
139 |         showErrorAlert(e);
140 |     }
141 | 
142 |     //console.log("Credential Object", response);
143 | 
144 |     // show error
145 |     if (response.status !== "ok") {
146 |         console.log("Error creating credential");
147 |         console.log(response.errorMessage);
148 |         showErrorAlert(response.errorMessage);
149 |         return;
150 |     }
151 | 
152 |     // show success 
153 |     Swal.fire({
154 |         title: 'Registration Successful!',
155 |         text: 'You\'ve registered successfully.',
156 |        // type: 'success',
157 |         timer: 2000
158 |     });
159 | 
160 |     // possible values: true,false
161 |     window.location.href = "/Identity/Account/Manage/GenerateRecoveryCodes";
162 | }
163 | 
164 | async function registerCredentialWithServer(formData) {
165 |     let response = await fetch('/mfamakeCredential', {
166 |         method: 'POST', // or 'PUT'
167 |         body: JSON.stringify(formData), // data can be `string` or {object}!
168 |         headers: {
169 |             'Accept': 'application/json',
170 |             'Content-Type': 'application/json',
171 |             'RequestVerificationToken': document.getElementById('RequestVerificationToken').value
172 |         }
173 |     });
174 | 
175 |     let data = await response.json();
176 | 
177 |     return data;
178 | }


--------------------------------------------------------------------------------
/IdentityProvider/wwwroot/js/site.js:
--------------------------------------------------------------------------------
1 | // Please see documentation at https://learn.microsoft.com/aspnet/core/client-side/bundling-and-minification
2 | // for details on configuring this project to bundle and minify static web assets.
3 | 
4 | // Write your JavaScript code.
5 | 


--------------------------------------------------------------------------------
/IdentityProvider/wwwroot/lib/bootstrap/LICENSE:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) 2011-2021 Twitter, Inc.
 4 | Copyright (c) 2011-2021 The Bootstrap Authors
 5 | 
 6 | Permission is hereby granted, free of charge, to any person obtaining a copy
 7 | of this software and associated documentation files (the "Software"), to deal
 8 | in the Software without restriction, including without limitation the rights
 9 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | copies of the Software, and to permit persons to whom the Software is
11 | furnished to do so, subject to the following conditions:
12 | 
13 | The above copyright notice and this permission notice shall be included in
14 | all copies or substantial portions of the Software.
15 | 
16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | THE SOFTWARE.
23 | 


--------------------------------------------------------------------------------
/IdentityProvider/wwwroot/lib/jquery-validation-unobtrusive/LICENSE.txt:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | 
 3 | Copyright (c) .NET Foundation and Contributors
 4 | 
 5 | All rights reserved.
 6 | 
 7 | Permission is hereby granted, free of charge, to any person obtaining a copy
 8 | of this software and associated documentation files (the "Software"), to deal
 9 | in the Software without restriction, including without limitation the rights
10 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 | copies of the Software, and to permit persons to whom the Software is
12 | furnished to do so, subject to the following conditions:
13 | 
14 | The above copyright notice and this permission notice shall be included in all
15 | copies or substantial portions of the Software.
16 | 
17 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
20 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
23 | SOFTWARE.
24 | 


--------------------------------------------------------------------------------
/IdentityProvider/wwwroot/lib/jquery-validation-unobtrusive/dist/jquery.validate.unobtrusive.min.js:
--------------------------------------------------------------------------------
1 | /**
2 |  * @license
3 |  * Unobtrusive validation support library for jQuery and jQuery Validate
4 |  * Copyright (c) .NET Foundation. All rights reserved.
5 |  * Licensed under the Apache License, Version 2.0. See License.txt in the project root for license information.
6 |  * @version v4.0.0
7 |  */
8 | !function(a){"function"==typeof define&&define.amd?define("jquery.validate.unobtrusive",["jquery-validation"],a):"object"==typeof module&&module.exports?module.exports=a(require("jquery-validation")):jQuery.validator.unobtrusive=a(jQuery)}(function(s){var a,o=s.validator,d="unobtrusiveValidation";function l(a,e,n){a.rules[e]=n,a.message&&(a.messages[e]=a.message)}function u(a){return a.replace(/([!"#$%&'()*+,./:;<=>?@\[\\\]^`{|}~])/g,"\\$1")}function n(a){return a.substr(0,a.lastIndexOf(".")+1)}function m(a,e){return a=0===a.indexOf("*.")?a.replace("*.",e):a}function f(a){var e=s(this),n="__jquery_unobtrusive_validation_form_reset";if(!e.data(n)){e.data(n,!0);try{e.data("validator").resetForm()}finally{e.removeData(n)}e.find(".validation-summary-errors").addClass("validation-summary-valid").removeClass("validation-summary-errors"),e.find(".field-validation-error").addClass("field-validation-valid").removeClass("field-validation-error").removeData("unobtrusiveContainer").find(">*").removeData("unobtrusiveContainer")}}function p(n){function a(a,e){(a=r[a])&&s.isFunction(a)&&a.apply(n,e)}var e=s(n),t=e.data(d),i=s.proxy(f,n),r=o.unobtrusive.options||{};return t||(t={options:{errorClass:r.errorClass||"input-validation-error",errorElement:r.errorElement||"span",errorPlacement:function(){!function(a,e){var e=s(this).find("[data-valmsg-for='"+u(e[0].name)+"']"),n=(n=e.attr("data-valmsg-replace"))?!1!==s.parseJSON(n):null;e.removeClass("field-validation-valid").addClass("field-validation-error"),a.data("unobtrusiveContainer",e),n?(e.empty(),a.removeClass("input-validation-error").appendTo(e)):a.hide()}.apply(n,arguments),a("errorPlacement",arguments)},invalidHandler:function(){!function(a,e){var n=s(this).find("[data-valmsg-summary=true]"),t=n.find("ul");t&&t.length&&e.errorList.length&&(t.empty(),n.addClass("validation-summary-errors").removeClass("validation-summary-valid"),s.each(e.errorList,function(){s("<li />").html(this.message).appendTo(t)}))}.apply(n,arguments),a("invalidHandler",arguments)},messages:{},rules:{},success:function(){!function(a){var e,n=a.data("unobtrusiveContainer");n&&(e=(e=n.attr("data-valmsg-replace"))?s.parseJSON(e):null,n.addClass("field-validation-valid").removeClass("field-validation-error"),a.removeData("unobtrusiveContainer"),e&&n.empty())}.apply(n,arguments),a("success",arguments)}},attachValidation:function(){e.off("reset."+d,i).on("reset."+d,i).validate(this.options)},validate:function(){return e.validate(),e.valid()}},e.data(d,t)),t}return o.unobtrusive={adapters:[],parseElement:function(t,a){var e,i,r,o=s(t),d=o.parents("form")[0];d&&((e=p(d)).options.rules[t.name]=i={},e.options.messages[t.name]=r={},s.each(this.adapters,function(){var a="data-val-"+this.name,e=o.attr(a),n={};void 0!==e&&(a+="-",s.each(this.params,function(){n[this]=o.attr(a+this)}),this.adapt({element:t,form:d,message:e,params:n,rules:i,messages:r}))}),s.extend(i,{__dummy__:!0}),a||e.attachValidation())},parse:function(a){var a=s(a),e=a.parents().addBack().filter("form").add(a.find("form")).has("[data-val=true]");a.find("[data-val=true]").each(function(){o.unobtrusive.parseElement(this,!0)}),e.each(function(){var a=p(this);a&&a.attachValidation()})}},(a=o.unobtrusive.adapters).add=function(a,e,n){return n||(n=e,e=[]),this.push({name:a,params:e,adapt:n}),this},a.addBool=function(e,n){return this.add(e,function(a){l(a,n||e,!0)})},a.addMinMax=function(a,t,i,r,e,n){return this.add(a,[e||"min",n||"max"],function(a){var e=a.params.min,n=a.params.max;e&&n?l(a,r,[e,n]):e?l(a,t,e):n&&l(a,i,n)})},a.addSingleVal=function(e,n,t){return this.add(e,[n||"val"],function(a){l(a,t||e,a.params[n])})},o.addMethod("__dummy__",function(a,e,n){return!0}),o.addMethod("regex",function(a,e,n){return!!this.optional(e)||(e=new RegExp(n).exec(a))&&0===e.index&&e[0].length===a.length}),o.addMethod("nonalphamin",function(a,e,n){var t;return t=n?(t=a.match(/\W/g))&&t.length>=n:t}),o.methods.extension?(a.addSingleVal("accept","mimtype"),a.addSingleVal("extension","extension")):a.addSingleVal("extension","extension","accept"),a.addSingleVal("regex","pattern"),a.addBool("creditcard").addBool("date").addBool("digits").addBool("email").addBool("number").addBool("url"),a.addMinMax("length","minlength","maxlength","rangelength").addMinMax("range","min","max","range"),a.addMinMax("minlength","minlength").addMinMax("maxlength","minlength","maxlength"),a.add("equalto",["other"],function(a){var e=n(a.element.name),e=m(a.params.other,e);l(a,"equalTo",s(a.form).find(":input").filter("[name='"+u(e)+"']")[0])}),a.add("required",function(a){"INPUT"===a.element.tagName.toUpperCase()&&"CHECKBOX"===a.element.type.toUpperCase()||l(a,"required",!0)}),a.add("remote",["url","type","additionalfields"],function(t){var i={url:t.params.url,type:t.params.type||"GET",data:{}},r=n(t.element.name);s.each((t.params.additionalfields||t.element.name).replace(/^\s+|\s+$/g,"").split(/\s*,\s*/g),function(a,e){var n=m(e,r);i.data[n]=function(){var a=s(t.form).find(":input").filter("[name='"+u(n)+"']");return a.is(":checkbox")?a.filter(":checked").val()||a.filter(":hidden").val()||"":a.is(":radio")?a.filter(":checked").val()||"":a.val()}}),l(t,"remote",i)}),a.add("password",["min","nonalphamin","regex"],function(a){a.params.min&&l(a,"minlength",a.params.min),a.params.nonalphamin&&l(a,"nonalphamin",a.params.nonalphamin),a.params.regex&&l(a,"regex",a.params.regex)}),a.add("fileextensions",["extensions"],function(a){l(a,"extension",a.params.extensions)}),s(function(){o.unobtrusive.parse(document)}),o.unobtrusive});


--------------------------------------------------------------------------------
/IdentityProvider/wwwroot/lib/jquery-validation/LICENSE.md:
--------------------------------------------------------------------------------
 1 | The MIT License (MIT)
 2 | =====================
 3 | 
 4 | Copyright Jörn Zaefferer
 5 | 
 6 | Permission is hereby granted, free of charge, to any person obtaining a copy
 7 | of this software and associated documentation files (the "Software"), to deal
 8 | in the Software without restriction, including without limitation the rights
 9 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
10 | copies of the Software, and to permit persons to whom the Software is
11 | furnished to do so, subject to the following conditions:
12 | 
13 | The above copyright notice and this permission notice shall be included in
14 | all copies or substantial portions of the Software.
15 | 
16 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
22 | THE SOFTWARE.
23 | 


--------------------------------------------------------------------------------
/IdentityProvider/wwwroot/lib/jquery/LICENSE.txt:
--------------------------------------------------------------------------------
 1 | 
 2 | Copyright OpenJS Foundation and other contributors, https://openjsf.org/
 3 | 
 4 | Permission is hereby granted, free of charge, to any person obtaining
 5 | a copy of this software and associated documentation files (the
 6 | "Software"), to deal in the Software without restriction, including
 7 | without limitation the rights to use, copy, modify, merge, publish,
 8 | distribute, sublicense, and/or sell copies of the Software, and to
 9 | permit persons to whom the Software is furnished to do so, subject to
10 | the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be
13 | included in all copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 | EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 | MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 | NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
19 | LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
20 | OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
21 | WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Backend for frontend security architecture (BFF) using Vue.JS and ASP.NET Core
  2 | 
  3 | Implements an OpenID Connect confidential client client using Vue.JS and a UI and ASP.NET Core to implement the API. The application is secured using an OpenID Connect confidential client using OAuth PKCE. The Vue.js application is served from the ASP.NET Core application using the YARP reverse proxy in development. The Vue.js application is built into the wwwroot of the ASP.NET Core application in production. OpenIddict is used to implement the identity server.
  4 | 
  5 | [![.NET and npm build](https://github.com/damienbod/bff-aspnetcore-oidc-vuejs/actions/workflows/dotnet.yml/badge.svg)](https://github.com/damienbod/bff-aspnetcore-oidc-vuejs/actions/workflows/dotnet.yml) [![License](https://img.shields.io/badge/license-Apache%20License%202.0-blue.svg)](https://github.com/damienbod/bff-aspnetcore-oidc-vuejs/blob/main/LICENSE)
  6 | 
  7 | ## Setup Server 
  8 | 
  9 | The ASP.NET Core project is setup to run in development and production. In production, it uses the Vue.js production build deployed to the wwwroot. In development, it uses MS YARP reverse proxy to forward requests.
 10 | 
 11 | > [!IMPORTANT]  
 12 | > In production, the Vue.js project is built into the **wwwroot** of the .NET project.
 13 | 
 14 | ![BFF production](https://github.com/damienbod/bff-aspnetcore-oidc-vuejs/blob/main/images/vue-aspnetcore-bff.drawio.png)
 15 | 
 16 | Configure the YARP reverse proxy to match the Vue.js URL. This is only required in development. I always use HTTPS in development and the port needs to match the Vue.js developement env (vite.config.js).
 17 | 
 18 | ```json
 19 |  "UiDevServerUrl": "https://localhost:4202",
 20 |   "ReverseProxy": {
 21 |     "Routes": {
 22 |       "route1": {
 23 |         "ClusterId": "cluster1",
 24 |         "Match": {
 25 |           "Path": "{**catch-all}"
 26 |         }
 27 |       }
 28 |     },
 29 |     "Clusters": {
 30 |       "cluster1": {
 31 |         "HttpClient": {
 32 |           "SslProtocols": [
 33 |             "Tls12"
 34 |           ]
 35 |         },
 36 |         "Destinations": {
 37 |           "cluster1/destination1": {
 38 |             "Address": "https://localhost:4202/"
 39 |           }
 40 |         }
 41 |       }
 42 |     }
 43 |   }
 44 | ```
 45 | 
 46 | 
 47 | ## Setup Vue.js Vite project
 48 | 
 49 | Add the certificates to the nx project for example in the **/certs** folder
 50 | 
 51 | Update the vite.config.ts file:
 52 | 
 53 | ```typescipt
 54 | import { defineConfig } from 'vite'
 55 | import vue from '@vitejs/plugin-vue'
 56 | import fs from 'fs';
 57 | 
 58 | // https://vitejs.dev/config/
 59 | export default defineConfig({
 60 |   plugins: [vue()],
 61 |   server: {
 62 |     https: {
 63 |       key: fs.readFileSync('./certs/dev_localhost.key'),
 64 |       cert: fs.readFileSync('./certs/dev_localhost.pem'),
 65 | 	},
 66 |     port: 4202,
 67 |     strictPort: true, // exit if port is in use
 68 |     hmr: {
 69 |       clientPort: 4202, // point vite websocket connection to vite directly, circumventing .net proxy
 70 |     },
 71 |   },
 72 |   optimizeDeps: {
 73 |     force: true,
 74 |   },
 75 |   build: {
 76 |     outDir: "../server/wwwroot",
 77 |     emptyOutDir: true
 78 |   },
 79 | })
 80 | ```
 81 | 
 82 | 
 83 | > [!NOTE]  
 84 | > The ASP.NET Core project setup uses port 4202, this needs to match the YARP reverse proxy settings for development.
 85 | 
 86 | 
 87 | ## Setup development
 88 | 
 89 | The development environment is setup to use the default tools for each of the tech stacks. Vue.js is used like recommended. I use Visual Studio code. A YARP reverse proxy is used to integrate the Vue.js development into the backend application.
 90 | 
 91 | ![BFF development](https://github.com/damienbod/bff-aspnetcore-oidc-vuejs/blob/main/images/vue-aspnetcore-bff-yarp-dev.drawio.png)
 92 | 
 93 | > [!NOTE]  
 94 | > Always run in HTTPS, both in development and production
 95 | 
 96 | ```
 97 | npm start
 98 | ```
 99 | 
100 | The OpenID Connect client is setup using the default ASP.NET Core OpenID connect handler.
101 | 
102 | ```csharp
103 | services.AddAuthentication(options =>
104 | {
105 |     options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
106 |     options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
107 | })
108 | .AddCookie()
109 | .AddOpenIdConnect(options =>
110 | {
111 |     builder.Configuration.GetSection("OpenIDConnectSettings").Bind(options);
112 |     options.Authority = builder.Configuration["OpenIDConnectSettings:Authority"];
113 |     options.ClientId = builder.Configuration["OpenIDConnectSettings:ClientId"];
114 |     options.ClientSecret = builder.Configuration["OpenIDConnectSettings:ClientSecret"];
115 | 
116 |     options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
117 |     options.ResponseType = OpenIdConnectResponseType.Code;
118 | 
119 |     options.SaveTokens = true;
120 |     options.GetClaimsFromUserInfoEndpoint = true;
121 |     options.TokenValidationParameters = new TokenValidationParameters
122 |     {
123 |         NameClaimType = "name"
124 |     };
125 | });
126 | 
127 | services.AddControllersWithViews(options =>
128 |     options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute()));
129 | 
130 | services.AddRazorPages().AddMvcOptions(options =>
131 | {
132 |     var policy = new AuthorizationPolicyBuilder()
133 |         .RequireAuthenticatedUser()
134 |         .Build();
135 |     options.Filters.Add(new AuthorizeFilter(policy));
136 | });
137 | ```
138 | 
139 | Add the Azure App registration settings to the **appsettings.Development.json** and the **ClientSecret** to the user secrets.
140 | 
141 | ```json
142 | "OpenIDConnectSettings": {
143 |     "Authority": "https://localhost:44318",
144 |     "ClientId": "oidc-pkce-confidential",
145 |     "ClientSecret": "oidc-pkce-confidential_secret"
146 | },
147 | ```
148 | 
149 | ## Debugging
150 | 
151 | Start the Vue.js project from the **ui** folder
152 | 
153 | ```
154 | npm start
155 | ```
156 | 
157 | Start the ASP.NET Core project from the **server** folder
158 | 
159 | ```
160 | dotnet run
161 | ```
162 | 
163 | Or just open Visual Studio and run the solution.
164 | 
165 | ## Github actions build
166 | 
167 | Github actions is used for the DevOps. The build pipeline builds both the .NET project and the Vue.js project using npm. The two projects are built in the same step because the UI project is built into the wwwroot of the server project.
168 | 
169 | ```yaml
170 | 
171 | name: .NET and npm build
172 | 
173 | on:
174 |   push:
175 |     branches: [ "main" ]
176 |   pull_request:
177 |     branches: [ "main" ]
178 | 
179 | jobs:
180 |   build:
181 |     runs-on: ubuntu-latest
182 | 
183 |     steps:
184 | 
185 |       - uses: actions/checkout@v4
186 |       - name: Setup .NET
187 |         uses: actions/setup-dotnet@v4
188 |         with:
189 |           dotnet-version: 9.0.x
190 | 
191 |       - name: Restore dependencies
192 |         run: dotnet restore
193 | 
194 |       - name: npm setup
195 |         working-directory: ui
196 |         run: npm install
197 | 
198 |       - name: ui-build
199 |         working-directory: ui
200 |         run: npm run build
201 | 
202 |       - name: Build
203 |         run: dotnet build --no-restore
204 |       - name: Test
205 |         run: dotnet test --no-build --verbosity normal
206 | ```
207 | 
208 | ## Credits and used libraries
209 | 
210 | - NetEscapades.AspNetCore.SecurityHeaders
211 | - Yarp.ReverseProxy
212 | - Microsoft.Identity.Web
213 | - ASP.NET Core
214 | - Vue.js
215 | - Vite
216 | - OpenIddict
217 | 
218 | ## Links
219 | 
220 | https://vuejs.org/
221 | 
222 | https://vitejs.dev/
223 | 
224 | https://github.com/vuejs/create-vue
225 | 
226 | https://documentation.openiddict.com/
227 | 
228 | https://www.koderhq.com/tutorial/vue/vite/
229 | 
230 | https://github.com/damienbod/bff-aspnetcore-angular
231 | 
232 | https://github.com/damienbod/bff-openiddict-aspnetcore-angular
233 | 
234 | https://github.com/damienbod/bff-aspnetcore-vuejs
235 | 


--------------------------------------------------------------------------------
/bff/server/BffOidc.Server.csproj:
--------------------------------------------------------------------------------
 1 | <Project Sdk="Microsoft.NET.Sdk.Web">
 2 | 
 3 | 	<PropertyGroup>
 4 | 		<TargetFramework>net9.0</TargetFramework>
 5 | 		<Nullable>enable</Nullable>
 6 | 		<ImplicitUsings>enable</ImplicitUsings>
 7 | 	</PropertyGroup>
 8 | 
 9 | 	<ItemGroup>
10 | 		<PackageReference Include="Microsoft.AspNetCore.Authentication.OpenIdConnect" Version="9.0.5" NoWarn="NU1605" />
11 | 		<PackageReference Include="Microsoft.AspNetCore.Components.WebAssembly.Server" Version="9.0.5" />
12 | 		<PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders" Version="1.1.0" />
13 | 		<PackageReference Include="NetEscapades.AspNetCore.SecurityHeaders.TagHelpers" Version="1.1.0" />
14 | 		<PackageReference Include="Yarp.ReverseProxy" Version="2.3.0" />
15 | 	</ItemGroup>
16 | 
17 | </Project>
18 | 


--------------------------------------------------------------------------------
/bff/server/Controllers/AccountController.cs:
--------------------------------------------------------------------------------
 1 | using Microsoft.AspNetCore.Authentication;
 2 | using Microsoft.AspNetCore.Authentication.Cookies;
 3 | using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 4 | using Microsoft.AspNetCore.Authorization;
 5 | using Microsoft.AspNetCore.Mvc;
 6 | 
 7 | namespace BffOidc.Server.Controllers;
 8 | 
 9 | // orig src https://github.com/berhir/BlazorWebAssemblyCookieAuth
10 | [Route("api/[controller]")]
11 | public class AccountController : ControllerBase
12 | {
13 |     [HttpGet("Login")]
14 |     public ActionResult Login(string? returnUrl, string? claimsChallenge)
15 |     {
16 |         // var claims = "{\"access_token\":{\"acrs\":{\"essential\":true,\"value\":\"c1\"}}}";
17 |         // var claims = "{\"id_token\":{\"acrs\":{\"essential\":true,\"value\":\"c1\"}}}";
18 |         var redirectUri = !string.IsNullOrEmpty(returnUrl) ? returnUrl : "/";
19 | 
20 |         var properties = new AuthenticationProperties { RedirectUri = redirectUri };
21 | 
22 |         if (claimsChallenge != null)
23 |         {
24 |             string jsonString = claimsChallenge.Replace("\\", "")
25 |                 .Trim(new char[1] { '"' });
26 | 
27 |             properties.Items["claims"] = jsonString;
28 |         }
29 | 
30 |         return Challenge(properties);
31 |     }
32 | 
33 |     // [ValidateAntiForgeryToken] // not needed explicitly due the the Auto global definition.
34 |     [IgnoreAntiforgeryToken] // need to apply this to the form post request
35 |     [Authorize]
36 |     [HttpPost("Logout")]
37 |     public IActionResult Logout()
38 |     {
39 |         return SignOut(
40 |             new AuthenticationProperties { RedirectUri = "/" },
41 |             CookieAuthenticationDefaults.AuthenticationScheme,
42 |             OpenIdConnectDefaults.AuthenticationScheme);
43 |     }
44 | }
45 | 


--------------------------------------------------------------------------------
/bff/server/Controllers/DirectApiController.cs:
--------------------------------------------------------------------------------
 1 | using Microsoft.AspNetCore.Authentication.Cookies;
 2 | using Microsoft.AspNetCore.Authorization;
 3 | using Microsoft.AspNetCore.Mvc;
 4 | 
 5 | namespace BffOidc.Server.Controllers;
 6 | 
 7 | [ValidateAntiForgeryToken]
 8 | [Authorize(AuthenticationSchemes = CookieAuthenticationDefaults.AuthenticationScheme)]
 9 | [ApiController]
10 | [Route("api/[controller]")]
11 | public class DirectApiController : ControllerBase
12 | {
13 |     [HttpGet]
14 |     public IEnumerable<string> Get()
15 |     {
16 |         return new List<string> { "some data", "more data", "loads of data" };
17 |     }
18 | }
19 | 


--------------------------------------------------------------------------------
/bff/server/Controllers/UserController.cs:
--------------------------------------------------------------------------------
 1 | using BffOidc.Server.Models;
 2 | using Microsoft.AspNetCore.Authorization;
 3 | using Microsoft.AspNetCore.Mvc;
 4 | 
 5 | using System.Security.Claims;
 6 | 
 7 | namespace BlazorBffOpenIDConnect.Server.Controllers;
 8 | 
 9 | [Route("api/[controller]")]
10 | [ApiController]
11 | public class UserController : ControllerBase
12 | {
13 |     [HttpGet]
14 |     [AllowAnonymous]
15 |     public IActionResult GetCurrentUser() => Ok(CreateUserInfo(User));
16 | 
17 |     private static UserInfo CreateUserInfo(ClaimsPrincipal claimsPrincipal)
18 |     {
19 |         if (!claimsPrincipal?.Identity?.IsAuthenticated ?? true)
20 |         {
21 |             return UserInfo.Anonymous;
22 |         }
23 | 
24 |         var userInfo = new UserInfo
25 |         {
26 |             IsAuthenticated = true
27 |         };
28 | 
29 |         if (claimsPrincipal?.Identity is ClaimsIdentity claimsIdentity)
30 |         {
31 |             userInfo.NameClaimType = claimsIdentity.NameClaimType;
32 |             userInfo.RoleClaimType = claimsIdentity.RoleClaimType;
33 |         }
34 |         else
35 |         {
36 |             userInfo.NameClaimType = ClaimTypes.Name;
37 |             userInfo.RoleClaimType = ClaimTypes.Role;
38 |         }
39 | 
40 |         if (claimsPrincipal?.Claims?.Any() ?? false)
41 |         {
42 |             // Add just the name claim
43 |             var claims = claimsPrincipal.FindAll(userInfo.NameClaimType)
44 |                                         .Select(u => new ClaimValue(userInfo.NameClaimType, u.Value))
45 |                                         .ToList();
46 | 
47 |             // Uncomment this code if you want to send additional claims to the client.
48 |             //var claims = claimsPrincipal.Claims.Select(u => new ClaimValue(u.Type, u.Value))
49 |             //                                      .ToList();
50 | 
51 |             userInfo.Claims = claims;
52 |         }
53 | 
54 |         return userInfo;
55 |     }
56 | }
57 | 


--------------------------------------------------------------------------------
/bff/server/Models/ClaimValue.cs:
--------------------------------------------------------------------------------
 1 | namespace BffOidc.Server.Models;
 2 | 
 3 | public class ClaimValue
 4 | {
 5 |     public ClaimValue()
 6 |     {
 7 |     }
 8 | 
 9 |     public ClaimValue(string type, string value)
10 |     {
11 |         Type = type;
12 |         Value = value;
13 |     }
14 | 
15 |     public string Type { get; set; } = string.Empty;
16 | 
17 |     public string Value { get; set; } = string.Empty;
18 | }


--------------------------------------------------------------------------------
/bff/server/Models/UserInfo.cs:
--------------------------------------------------------------------------------
 1 | namespace BffOidc.Server.Models;
 2 | 
 3 | public class UserInfo
 4 | {
 5 |     public static readonly UserInfo Anonymous = new();
 6 | 
 7 |     public bool IsAuthenticated { get; set; }
 8 | 
 9 |     public string NameClaimType { get; set; } = string.Empty;
10 | 
11 |     public string RoleClaimType { get; set; } = string.Empty;
12 | 
13 |     public ICollection<ClaimValue> Claims { get; set; } = new List<ClaimValue>();
14 | }
15 | 


--------------------------------------------------------------------------------
/bff/server/Pages/Error.cshtml:
--------------------------------------------------------------------------------
 1 | @page
 2 | @model BffOidc.Server.Pages.ErrorModel
 3 | 
 4 | <!DOCTYPE html>
 5 | <html>
 6 | 
 7 | <head>
 8 |     <meta charset="utf-8" />
 9 |     <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no" />
10 |     <title>Error</title>
11 | </head>
12 | 
13 | <body>
14 |     <div class="main">
15 |         <div class="content px-4">
16 |             <h1 class="text-danger">Error.</h1>
17 |             <h2 class="text-danger">An error occurred while processing your request.</h2>
18 | 
19 |             @if (Model.ShowRequestId)
20 |             {
21 |                 <p>
22 |                     <strong>Request ID:</strong> <code>@Model.RequestId</code>
23 |                 </p>
24 |             }
25 | 
26 |             <h3>Development Mode</h3>
27 |             <p>
28 |                 Swapping to the <strong>Development</strong> environment displays detailed information about the error that occurred.
29 |             </p>
30 |             <p>
31 |                 <strong>The Development environment shouldn't be enabled for deployed applications.</strong>
32 |                 It can result in displaying sensitive information from exceptions to end users.
33 |                 For local debugging, enable the <strong>Development</strong> environment by setting the <strong>ASPNETCORE_ENVIRONMENT</strong> environment variable to <strong>Development</strong>
34 |                 and restarting the app.
35 |             </p>
36 |         </div>
37 |     </div>
38 | </body>
39 | 
40 | </html>
41 | 


--------------------------------------------------------------------------------
/bff/server/Pages/Error.cshtml.cs:
--------------------------------------------------------------------------------
 1 | using Microsoft.AspNetCore.Mvc;
 2 | using Microsoft.AspNetCore.Mvc.RazorPages;
 3 | using System.Diagnostics;
 4 | 
 5 | namespace BffOidc.Server.Pages;
 6 | 
 7 | [ResponseCache(Duration = 0, Location = ResponseCacheLocation.None, NoStore = true)]
 8 | [IgnoreAntiforgeryToken]
 9 | public class ErrorModel : PageModel
10 | {
11 |     public string? RequestId { get; set; }
12 | 
13 |     public bool ShowRequestId => !string.IsNullOrEmpty(RequestId);
14 | 
15 |     public void OnGet()
16 |     {
17 |         RequestId = Activity.Current?.Id ?? HttpContext.TraceIdentifier;
18 |     }
19 | }
20 | 


--------------------------------------------------------------------------------
/bff/server/Pages/_Host.cshtml:
--------------------------------------------------------------------------------
 1 | @page "/"
 2 | @namespace BlazorBffAzureAD.Pages
 3 | @using System.Net;
 4 | @using NetEscapades.AspNetCore.SecurityHeaders;
 5 | @addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers
 6 | @addTagHelper *, NetEscapades.AspNetCore.SecurityHeaders.TagHelpers
 7 | @inject IHostEnvironment hostEnvironment
 8 | @inject IConfiguration config
 9 | @inject Microsoft.AspNetCore.Antiforgery.IAntiforgery antiForgery
10 | @{
11 |     Layout = null;
12 | 
13 |     var source = string.Empty;
14 |     if (hostEnvironment.IsDevelopment())
15 |     {
16 |         var httpClient = new HttpClient();
17 |         source = await httpClient.GetStringAsync($"{config["UiDevServerUrl"]}/index.html");
18 |     }
19 |     else
20 |     {
21 |         source = System.IO.File.ReadAllText($"{System.IO.Directory.GetCurrentDirectory()}{@"/wwwroot/index.html"}");
22 |     }
23 | 
24 |     var nonce = HttpContext.GetNonce();
25 | 
26 |     // The nonce is passed to the client through the HTML to avoid sync issues between tabs
27 |     source = source.Replace("**PLACEHOLDER_NONCE_SERVER**", nonce);
28 | 
29 |     var nonceScript = $"<script nonce=\"{nonce}\" ";
30 |     source = source.Replace("<script ", nonceScript);
31 | 
32 |     // link rel="stylesheet"
33 |     var nonceLinkStyle = $"<link nonce=\"{nonce}\" rel=\"stylesheet";
34 |     source = source.Replace("<link rel=\"stylesheet", nonceLinkStyle);
35 | 
36 |     var xsrf = antiForgery.GetAndStoreTokens(HttpContext);
37 |     var requestToken = xsrf.RequestToken;
38 | 
39 |     // The XSRF-Tokens are passed to the client through cookies, since we always want the most up-to-date cookies across all tabs
40 |     Response.Cookies.Append("XSRF-RequestToken", requestToken ?? "", new CookieOptions() { HttpOnly = false, IsEssential = true, Secure = true, SameSite = SameSiteMode.Strict });
41 | }
42 | 
43 | @Html.Raw(source)
44 | 


--------------------------------------------------------------------------------
/bff/server/Program.cs:
--------------------------------------------------------------------------------
  1 | using BffOidc.Server;
  2 | using BffOidc.Server.Services;
  3 | using Microsoft.AspNetCore.Authentication.Cookies;
  4 | using Microsoft.AspNetCore.Authentication.OpenIdConnect;
  5 | using Microsoft.AspNetCore.Mvc;
  6 | using Microsoft.IdentityModel.JsonWebTokens;
  7 | using Microsoft.IdentityModel.Logging;
  8 | using Microsoft.IdentityModel.Protocols.OpenIdConnect;
  9 | using NetEscapades.AspNetCore.SecurityHeaders.Infrastructure;
 10 | 
 11 | var builder = WebApplication.CreateBuilder(args);
 12 | 
 13 | builder.WebHost.ConfigureKestrel(serverOptions =>
 14 | {
 15 |     serverOptions.AddServerHeader = false;
 16 | });
 17 | 
 18 | var services = builder.Services;
 19 | var configuration = builder.Configuration;
 20 | 
 21 | services.AddSecurityHeaderPolicies()
 22 |   .SetPolicySelector((PolicySelectorContext ctx) =>
 23 |   {
 24 |       return SecurityHeadersDefinitions.GetHeaderPolicyCollection(builder.Environment.IsDevelopment(),
 25 |         configuration["OpenIDConnectSettings:Authority"]);
 26 |   });
 27 | 
 28 | services.AddAntiforgery(options =>
 29 | {
 30 |     options.HeaderName = "X-XSRF-TOKEN";
 31 |     options.Cookie.Name = "__Host-X-XSRF-TOKEN";
 32 |     options.Cookie.SameSite = SameSiteMode.Strict;
 33 |     options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
 34 | });
 35 | 
 36 | services.AddHttpClient();
 37 | services.AddOptions();
 38 | 
 39 | services.AddAuthentication(options =>
 40 | {
 41 |     options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
 42 |     options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
 43 | })
 44 | .AddCookie()
 45 | .AddOpenIdConnect(options =>
 46 | {
 47 |     var oidcConfig = builder.Configuration.GetSection("OpenIDConnectSettings");
 48 | 
 49 |     options.Authority = oidcConfig["Authority"];
 50 |     options.ClientId = oidcConfig["ClientId"];
 51 |     options.ClientSecret = oidcConfig["ClientSecret"];
 52 | 
 53 |     options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
 54 |     options.ResponseType = OpenIdConnectResponseType.Code;
 55 | 
 56 |     options.SaveTokens = true;
 57 |     options.GetClaimsFromUserInfoEndpoint = true;
 58 |     options.MapInboundClaims = false;
 59 |     options.TokenValidationParameters.NameClaimType = JwtRegisteredClaimNames.Name;
 60 | });
 61 | 
 62 | services.AddControllersWithViews(options =>
 63 |     options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute()));
 64 | 
 65 | services.AddRazorPages().AddMvcOptions(options =>
 66 | {
 67 |     //var policy = new AuthorizationPolicyBuilder()
 68 |     //    .RequireAuthenticatedUser()
 69 |     //    .Build();
 70 |     //options.Filters.Add(new AuthorizeFilter(policy));
 71 | });
 72 | 
 73 | builder.Services.AddReverseProxy()
 74 |    .LoadFromConfig(builder.Configuration.GetSection("ReverseProxy"));
 75 | 
 76 | var app = builder.Build();
 77 | 
 78 | IdentityModelEventSource.ShowPII = true;
 79 | JsonWebTokenHandler.DefaultInboundClaimTypeMap.Clear();
 80 | 
 81 | if (app.Environment.IsDevelopment())
 82 | {
 83 |     app.UseDeveloperExceptionPage();
 84 |     app.UseWebAssemblyDebugging();
 85 | }
 86 | else
 87 | {
 88 |     app.UseExceptionHandler("/Error");
 89 | }
 90 | 
 91 | app.UseSecurityHeaders();
 92 | app.UseHttpsRedirection();
 93 | app.UseStaticFiles();
 94 | app.UseRouting();
 95 | app.UseNoUnauthorizedRedirect("/api");
 96 | 
 97 | app.UseAuthorization();
 98 | 
 99 | app.MapRazorPages();
100 | app.MapControllers();
101 | app.MapNotFound("/api/{**segment}");
102 | 
103 | if (app.Environment.IsDevelopment())
104 | {
105 |     var uiDevServer = app.Configuration.GetValue<string>("UiDevServerUrl");
106 |     if (!string.IsNullOrEmpty(uiDevServer))
107 |     {
108 |         app.MapReverseProxy();
109 |     }
110 | }
111 | 
112 | app.MapFallbackToPage("/_Host");
113 | 
114 | app.Run();
115 | 


--------------------------------------------------------------------------------
/bff/server/Properties/launchSettings.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "profiles": {
 3 |     "BffOidc.Server": {
 4 |       "commandName": "Project",
 5 |       "launchBrowser": true,
 6 |       "environmentVariables": {
 7 |         "ASPNETCORE_ENVIRONMENT": "Development"
 8 |       },
 9 |       "applicationUrl": "https://localhost:44360"
10 |     }
11 |   }
12 | }


--------------------------------------------------------------------------------
/bff/server/SecurityHeadersDefinitions.cs:
--------------------------------------------------------------------------------
 1 | namespace BffOidc.Server;
 2 | 
 3 | public static class SecurityHeadersDefinitions
 4 | {
 5 |     private static HeaderPolicyCollection? policy;
 6 | 
 7 |     public static HeaderPolicyCollection GetHeaderPolicyCollection(bool isDev, string? idpHost)
 8 |     {
 9 |         ArgumentNullException.ThrowIfNull(idpHost);
10 | 
11 |         // Avoid building a new HeaderPolicyCollection on every request for performance reasons.
12 |         // Where possible, cache and reuse HeaderPolicyCollection instances.
13 |         if (policy != null) return policy;
14 | 
15 |         policy = new HeaderPolicyCollection()
16 |             .AddFrameOptionsDeny()
17 |             .AddContentTypeOptionsNoSniff()
18 |             .AddReferrerPolicyStrictOriginWhenCrossOrigin()
19 |             .AddCrossOriginOpenerPolicy(builder => builder.SameOrigin())
20 |             .AddCrossOriginResourcePolicy(builder => builder.SameOrigin())
21 |             .AddCrossOriginEmbedderPolicy(builder => builder.RequireCorp()) // remove for dev if using hot reload
22 |             .AddContentSecurityPolicy(builder =>
23 |             {
24 |                 builder.AddObjectSrc().None();
25 |                 builder.AddBlockAllMixedContent();
26 |                 builder.AddImgSrc().Self().From("data:");
27 |                 builder.AddFormAction().Self().From(idpHost);
28 |                 builder.AddFontSrc().Self();
29 |                 builder.AddBaseUri().Self();
30 |                 builder.AddFrameAncestors().None();
31 | 
32 |                 if (isDev)
33 |                 {
34 |                     builder.AddStyleSrc().Self().UnsafeInline();
35 |                 }
36 |                 else
37 |                 {
38 |                     builder.AddStyleSrc().WithNonce().UnsafeInline();
39 |                 }
40 | 
41 |                 builder.AddScriptSrc().WithNonce().UnsafeInline();
42 |             })
43 |             .RemoveServerHeader()
44 |             .AddPermissionsPolicyWithDefaultSecureDirectives();
45 | 
46 |         if (!isDev)
47 |         {
48 |             // maxage = one year in seconds
49 |             policy.AddStrictTransportSecurityMaxAgeIncludeSubDomains(maxAgeInSeconds: 60 * 60 * 24 * 365);
50 |         }
51 | 
52 |         return policy;
53 |     }
54 | }
55 | 


--------------------------------------------------------------------------------
/bff/server/Services/ApplicationBuilderExtensions.cs:
--------------------------------------------------------------------------------
 1 | using Microsoft.Net.Http.Headers;
 2 | 
 3 | namespace BffOidc.Server.Services;
 4 | 
 5 | public static class ApplicationBuilderExtensions
 6 | {
 7 |     public static IApplicationBuilder UseNoUnauthorizedRedirect(this IApplicationBuilder applicationBuilder, params string[] segments)
 8 |     {
 9 |         applicationBuilder.Use(async (httpContext, func) =>
10 |         {
11 |             if (segments.Any(s => httpContext.Request.Path.StartsWithSegments(s)))
12 |             {
13 |                 httpContext.Request.Headers[HeaderNames.XRequestedWith] = "XMLHttpRequest";
14 |             }
15 | 
16 |             await func();
17 |         });
18 | 
19 |         return applicationBuilder;
20 |     }
21 | }
22 | 


--------------------------------------------------------------------------------
/bff/server/Services/EndpointRouteBuilderExtensions.cs:
--------------------------------------------------------------------------------
 1 | namespace BffOidc.Server.Services;
 2 | 
 3 | public static class EndpointRouteBuilderExtensions
 4 | {
 5 |     public static IEndpointRouteBuilder MapNotFound(this IEndpointRouteBuilder endpointRouteBuilder, string pattern)
 6 |     {
 7 |         endpointRouteBuilder.Map(pattern, context =>
 8 |         {
 9 |             context.Response.StatusCode = StatusCodes.Status404NotFound;
10 |             return Task.CompletedTask;
11 |         });
12 | 
13 |         return endpointRouteBuilder;
14 |     }
15 | }
16 | 


--------------------------------------------------------------------------------
/bff/server/appsettings.Development.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "Logging": {
 3 |     "LogLevel": {
 4 |       "Default": "Information",
 5 |       "Microsoft": "Warning",
 6 |       "Microsoft.Hosting.Lifetime": "Information"
 7 |     }
 8 |   },
 9 |   "UiDevServerUrl": "https://localhost:4202",
10 |   "ReverseProxy": {
11 |     "Routes": {
12 |       "route1": {
13 |         "ClusterId": "cluster1",
14 |         "Match": {
15 |           "Path": "{**catch-all}"
16 |         }
17 |       }
18 |     },
19 |     "Clusters": {
20 |       "cluster1": {
21 |         "HttpClient": {
22 |           "SslProtocols": [
23 |             "Tls12"
24 |           ]
25 |         },
26 |         "Destinations": {
27 |           "cluster1/destination1": {
28 |             "Address": "https://localhost:4202/"
29 |           }
30 |         }
31 |       }
32 |     }
33 |   }
34 | }
35 | 


--------------------------------------------------------------------------------
/bff/server/appsettings.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "OpenIDConnectSettings": {
 3 |     "Authority": "https://localhost:44318",
 4 |     "ClientId": "oidc-pkce-confidential",
 5 |     "ClientSecret": "oidc-pkce-confidential_secret"
 6 |   },
 7 |   "Logging": {
 8 |     "LogLevel": {
 9 |       "Default": "Information",
10 |       "Microsoft": "Warning",
11 |       "Microsoft.Hosting.Lifetime": "Information"
12 |     }
13 |   },
14 |   "AllowedHosts": "*"
15 | }
16 | 


--------------------------------------------------------------------------------
/bff/server/wwwroot/assets/index-87c75793.css:
--------------------------------------------------------------------------------
1 | :root{font-family:Inter,system-ui,Avenir,Helvetica,Arial,sans-serif;line-height:1.5;font-weight:400;color-scheme:light dark;color:#ffffffde;background-color:#242424;font-synthesis:none;text-rendering:optimizeLegibility;-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale;-webkit-text-size-adjust:100%}a{font-weight:500;color:#646cff;text-decoration:inherit}a:hover{color:#535bf2}body{margin:0;display:flex;place-items:center;min-width:320px;min-height:100vh}h1{font-size:3.2em;line-height:1.1}button{border-radius:8px;border:1px solid transparent;padding:.6em 1.2em;font-size:1em;font-weight:500;font-family:inherit;background-color:#1a1a1a;cursor:pointer;transition:border-color .25s}button:hover{border-color:#646cff}button:focus,button:focus-visible{outline:4px auto -webkit-focus-ring-color}.card{padding:2em}#app{max-width:1280px;margin:0 auto;padding:2rem;text-align:center}@media (prefers-color-scheme: light){:root{color:#213547;background-color:#fff}a:hover{color:#747bff}button{background-color:#f9f9f9}}.read-the-docs[data-v-2ddc71fa],.read-the-docs[data-v-70ee7df5]{color:#888}.logo[data-v-208b9ab0]{height:6em;padding:1.5em;will-change:filter;transition:filter .3s}.logo[data-v-208b9ab0]:hover{filter:drop-shadow(0 0 2em #646cffaa)}.logo.vue[data-v-208b9ab0]:hover{filter:drop-shadow(0 0 2em #42b883aa)}
2 | 


--------------------------------------------------------------------------------
/bff/server/wwwroot/assets/vue-5532db34.svg:
--------------------------------------------------------------------------------
1 | <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="iconify iconify--logos" width="37.07" height="36" preserveAspectRatio="xMidYMid meet" viewBox="0 0 256 198"><path fill="#41B883" d="M204.8 0H256L128 220.8L0 0h97.92L128 51.2L157.44 0h47.36Z"></path><path fill="#41B883" d="m0 0l128 220.8L256 0h-51.2L128 132.48L50.56 0H0Z"></path><path fill="#35495E" d="M50.56 0L128 133.12L204.8 0h-47.36L128 51.2L97.92 0H50.56Z"></path></svg>


--------------------------------------------------------------------------------
/bff/server/wwwroot/index.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |     <meta charset="UTF-8" />
 5 | 	<meta name="CSP_NONCE" content="**PLACEHOLDER_NONCE_SERVER**" />
 6 |     <link rel="icon" type="image/svg+xml" href="/vite.svg" />
 7 |     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
 8 |     <title>Vite + Vue + TS</title>
 9 |     <script type="module" crossorigin src="/assets/index-88585cd9.js"></script>
10 |     <link rel="stylesheet" href="/assets/index-87c75793.css">
11 |   </head>
12 |   <body>
13 |     <div id="app"></div>
14 |     
15 |   </body>
16 | </html>
17 | 


--------------------------------------------------------------------------------
/bff/server/wwwroot/vite.svg:
--------------------------------------------------------------------------------
1 | <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="iconify iconify--logos" width="31.88" height="32" preserveAspectRatio="xMidYMid meet" viewBox="0 0 256 257"><defs><linearGradient id="IconifyId1813088fe1fbc01fb466" x1="-.828%" x2="57.636%" y1="7.652%" y2="78.411%"><stop offset="0%" stop-color="#41D1FF"></stop><stop offset="100%" stop-color="#BD34FE"></stop></linearGradient><linearGradient id="IconifyId1813088fe1fbc01fb467" x1="43.376%" x2="50.316%" y1="2.242%" y2="89.03%"><stop offset="0%" stop-color="#FFEA83"></stop><stop offset="8.333%" stop-color="#FFDD35"></stop><stop offset="100%" stop-color="#FFA800"></stop></linearGradient></defs><path fill="url(#IconifyId1813088fe1fbc01fb466)" d="M255.153 37.938L134.897 252.976c-2.483 4.44-8.862 4.466-11.382.048L.875 37.958c-2.746-4.814 1.371-10.646 6.827-9.67l120.385 21.517a6.537 6.537 0 0 0 2.322-.004l117.867-21.483c5.438-.991 9.574 4.796 6.877 9.62Z"></path><path fill="url(#IconifyId1813088fe1fbc01fb467)" d="M185.432.063L96.44 17.501a3.268 3.268 0 0 0-2.634 3.014l-5.474 92.456a3.268 3.268 0 0 0 3.997 3.378l24.777-5.718c2.318-.535 4.413 1.507 3.936 3.838l-7.361 36.047c-.495 2.426 1.782 4.5 4.151 3.78l15.304-4.649c2.372-.72 4.652 1.36 4.15 3.788l-11.698 56.621c-.732 3.542 3.979 5.473 5.943 2.437l1.313-2.028l72.516-144.72c1.215-2.423-.88-5.186-3.54-4.672l-25.505 4.922c-2.396.462-4.435-1.77-3.759-4.114l16.646-57.705c.677-2.35-1.37-4.583-3.769-4.113Z"></path></svg>


--------------------------------------------------------------------------------
/bff/ui/.gitignore:
--------------------------------------------------------------------------------
 1 | # Logs
 2 | logs
 3 | *.log
 4 | npm-debug.log*
 5 | yarn-debug.log*
 6 | yarn-error.log*
 7 | pnpm-debug.log*
 8 | lerna-debug.log*
 9 | 
10 | node_modules
11 | dist
12 | dist-ssr
13 | *.local
14 | 
15 | # Editor directories and files
16 | .vscode/*
17 | !.vscode/extensions.json
18 | .idea
19 | .DS_Store
20 | *.suo
21 | *.ntvs*
22 | *.njsproj
23 | *.sln
24 | *.sw?
25 | 


--------------------------------------------------------------------------------
/bff/ui/.vscode/extensions.json:
--------------------------------------------------------------------------------
1 | {
2 |   "recommendations": ["Vue.volar", "Vue.vscode-typescript-vue-plugin"]
3 | }
4 | 


--------------------------------------------------------------------------------
/bff/ui/README.md:
--------------------------------------------------------------------------------
 1 | # Vue 3 + TypeScript + Vite
 2 | 
 3 | This template should help get you started developing with Vue 3 and TypeScript in Vite. The template uses Vue 3 `<script setup>` SFCs, check out the [script setup docs](https://v3.vuejs.org/api/sfc-script-setup.html#sfc-script-setup) to learn more.
 4 | 
 5 | ## Recommended IDE Setup
 6 | 
 7 | - [VS Code](https://code.visualstudio.com/) + [Volar](https://marketplace.visualstudio.com/items?itemName=Vue.volar) (and disable Vetur) + [TypeScript Vue Plugin (Volar)](https://marketplace.visualstudio.com/items?itemName=Vue.vscode-typescript-vue-plugin).
 8 | 
 9 | ## Type Support For `.vue` Imports in TS
10 | 
11 | TypeScript cannot handle type information for `.vue` imports by default, so we replace the `tsc` CLI with `vue-tsc` for type checking. In editors, we need [TypeScript Vue Plugin (Volar)](https://marketplace.visualstudio.com/items?itemName=Vue.vscode-typescript-vue-plugin) to make the TypeScript language service aware of `.vue` types.
12 | 
13 | If the standalone TypeScript plugin doesn't feel fast enough to you, Volar has also implemented a [Take Over Mode](https://github.com/johnsoncodehk/volar/discussions/471#discussioncomment-1361669) that is more performant. You can enable it by the following steps:
14 | 
15 | 1. Disable the built-in TypeScript Extension
16 |    1. Run `Extensions: Show Built-in Extensions` from VSCode's command palette
17 |    2. Find `TypeScript and JavaScript Language Features`, right click and select `Disable (Workspace)`
18 | 2. Reload the VSCode window by running `Developer: Reload Window` from the command palette.
19 | 


--------------------------------------------------------------------------------
/bff/ui/certs/Readme.md:
--------------------------------------------------------------------------------
 1 | This certificate is only an example. Please use your own.
 2 | 
 3 | Double click the pfx on a windows mc and use the 1234 password to install. 
 4 | 
 5 | Add the certificates to the nx project for example in the **/certs** folder
 6 | 
 7 | Update the nx project.json file:
 8 | 
 9 | ```json
10 | "serve": {
11 |     "executor": "@angular-devkit/build-angular:dev-server",
12 |     "options": {
13 |     "browserTarget": "ui:build",
14 |     "sslKey": "certs/dev_localhost.key",
15 |     "sslCert": "certs/dev_localhost.pem",
16 |     "port": 4201
17 | },
18 | ```
19 | 


--------------------------------------------------------------------------------
/bff/ui/certs/dev_localhost.crt:
--------------------------------------------------------------------------------
 1 | MIICQDCCAamgAwIBAgIJAIKGapdMCt4NMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNVBAMTCWxvY2Fs
 2 | aG9zdDAeFw0yMDAyMjAyMjU3MjFaFw0zMDAyMjEyMjU3MjFaMBQxEjAQBgNVBAMTCWxvY2FsaG9z
 3 | dDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArOxyNClqlxIx9X8V3ZIFR4PtVIG7QYcJHmd1
 4 | oQbExnMJahlJs6pYSokdoU3fRnTIUJtbRXlPagDKZoJcUfl4KGaBL/bqF8P03noHSr59Vd3sU8Xl
 5 | CyAxiTlyusENTPuBSzK+8wVpTIVpqnG2Exx1cMGHfsnA0R1NzQCMQ3zFEkECAwEAAaOBmTCBljAS
 6 | BgNVHRMBAf8ECDAGAQH/AgEDMA4GA1UdDwEB/wQEAwIB/jAUBgNVHREEDTALgglsb2NhbGhvc3Qw
 7 | OwYDVR0lBDQwMgYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUF
 8 | BwMIMB0GA1UdDgQWBBQaVighscgq5k8BjEzeSsZp+6RxITANBgkqhkiG9w0BAQsFAAOBgQBXH/Sq
 9 | jekwz+O0eG0zA2MA2LSwt7OELi54vATFYkXO45IO5frRagUTWDkx85/Vfm9OcdfoaHD1UzPkGBU0
10 | BPsnN3SGCB3Pk5jSRaXIBBiqByDFiP+G6EYmUYhLxB3FpJp6S5KlnQtdtLkl3KuT8KBtc9haro+e
11 | lDlUx5s/FM3SJw==
12 | 


--------------------------------------------------------------------------------
/bff/ui/certs/dev_localhost.key:
--------------------------------------------------------------------------------
 1 | -----BEGIN RSA PRIVATE KEY-----
 2 | MIICXQIBAAKBgQCs7HI0KWqXEjH1fxXdkgVHg+1UgbtBhwkeZ3WhBsTGcwlqGUmzqlhKiR2hTd9G
 3 | dMhQm1tFeU9qAMpmglxR+XgoZoEv9uoXw/TeegdKvn1V3exTxeULIDGJOXK6wQ1M+4FLMr7zBWlM
 4 | hWmqcbYTHHVwwYd+ycDRHU3NAIxDfMUSQQIDAQABAoGAIB8z/7iJ0lJQ8XeQCj6ruGMrXP1UWZHK
 5 | AdnaIfVt7CdGYm0cIcHM8NuTo3khtqbO5xpU1Az60YggEPa6S4f558kGBIg4PQVxgE/Kv77ptGAk
 6 | rZG9FaCyIibGMh5aJLtxG0Fh1FGnuK1Xk1BKXtaGRUkZpKGg4rMJ9w3qp/T5vLkCQQDe+FiMqY2s
 7 | pxHEz+h3NJ0H2T81FCx2upf1fjTVtlQnJ7Gds6eZT0zwa3z1bSw+VkxICERY8C43bzPUJUgPIyLX
 8 | AkEAxooyVkJHmxlcIvZfrZPvQs+2GOXpWVnyjNUWf8t9G2MsmkdGIkp7oJhi5obpdNR+3jQe0xyr
 9 | Dvy1hbHuGp5opwJBALO6Zc5EogGozgbiPBVSoL2B3ZRQhaLSt8jYCYi3JtBFC8P927wVkwQ88IX4
10 | kXBSKbzqhQVX3Tkr9xArWRFylhMCQFmigt9WxSVM6cAPI1smctrjE/9hrVxds5fJjILdx/nZaIWu
11 | sAdDQVVb9yrEthm85hpDxbbiNohppzpY/nqeEfkCQQDInS/pP5dYTUxFV+/YweK+6smN2v+dYZAi
12 | 5KShWRl5fwpl+mdJT3aziRb/kfYkhGPQMO06OnGzjNKt7Rg0Z8mD
13 | -----END RSA PRIVATE KEY-----
14 | 


--------------------------------------------------------------------------------
/bff/ui/certs/dev_localhost.pem:
--------------------------------------------------------------------------------
 1 | -----BEGIN CERTIFICATE-----
 2 | MIICQDCCAamgAwIBAgIJAIKGapdMCt4NMA0GCSqGSIb3DQEBCwUAMBQxEjAQBgNVBAMTCWxvY2Fs
 3 | aG9zdDAeFw0yMDAyMjAyMjU3MjFaFw0zMDAyMjEyMjU3MjFaMBQxEjAQBgNVBAMTCWxvY2FsaG9z
 4 | dDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArOxyNClqlxIx9X8V3ZIFR4PtVIG7QYcJHmd1
 5 | oQbExnMJahlJs6pYSokdoU3fRnTIUJtbRXlPagDKZoJcUfl4KGaBL/bqF8P03noHSr59Vd3sU8Xl
 6 | CyAxiTlyusENTPuBSzK+8wVpTIVpqnG2Exx1cMGHfsnA0R1NzQCMQ3zFEkECAwEAAaOBmTCBljAS
 7 | BgNVHRMBAf8ECDAGAQH/AgEDMA4GA1UdDwEB/wQEAwIB/jAUBgNVHREEDTALgglsb2NhbGhvc3Qw
 8 | OwYDVR0lBDQwMgYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAwYIKwYBBQUHAwQGCCsGAQUF
 9 | BwMIMB0GA1UdDgQWBBQaVighscgq5k8BjEzeSsZp+6RxITANBgkqhkiG9w0BAQsFAAOBgQBXH/Sq
10 | jekwz+O0eG0zA2MA2LSwt7OELi54vATFYkXO45IO5frRagUTWDkx85/Vfm9OcdfoaHD1UzPkGBU0
11 | BPsnN3SGCB3Pk5jSRaXIBBiqByDFiP+G6EYmUYhLxB3FpJp6S5KlnQtdtLkl3KuT8KBtc9haro+e
12 | lDlUx5s/FM3SJw==
13 | -----END CERTIFICATE-----
14 | 


--------------------------------------------------------------------------------
/bff/ui/index.html:
--------------------------------------------------------------------------------
 1 | <!doctype html>
 2 | <html lang="en">
 3 |   <head>
 4 |     <meta charset="UTF-8" />
 5 | 	<meta name="CSP_NONCE" content="**PLACEHOLDER_NONCE_SERVER**" />
 6 |     <link rel="icon" type="image/svg+xml" href="/vite.svg" />
 7 |     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
 8 |     <title>Vite + Vue + TS</title>
 9 |   </head>
10 |   <body>
11 |     <div id="app"></div>
12 |     <script type="module" src="/src/main.ts" ></script>
13 |   </body>
14 | </html>
15 | 


--------------------------------------------------------------------------------
/bff/ui/package.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "name": "ui",
 3 |   "private": true,
 4 |   "version": "0.0.0",
 5 |   "type": "module",
 6 |   "scripts": {
 7 |     "start": "vite",
 8 |     "dev": "vite",
 9 |     "build": "vue-tsc && vite build",
10 |     "preview": "vite preview"
11 |   },
12 |   "dependencies": {
13 |     "axios": "^1.5.0",
14 |     "vue": "^3.3.4"
15 |   },
16 |   "devDependencies": {
17 |     "@vitejs/plugin-basic-ssl": "^1.0.1",
18 |     "@vitejs/plugin-vue": "^4.2.3",
19 |     "typescript": "^5.2.2",
20 |     "vite": "^4.4.5",
21 |     "vue-tsc": "^1.8.5"
22 |   }
23 | }
24 | 


--------------------------------------------------------------------------------
/bff/ui/public/vite.svg:
--------------------------------------------------------------------------------
1 | <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="iconify iconify--logos" width="31.88" height="32" preserveAspectRatio="xMidYMid meet" viewBox="0 0 256 257"><defs><linearGradient id="IconifyId1813088fe1fbc01fb466" x1="-.828%" x2="57.636%" y1="7.652%" y2="78.411%"><stop offset="0%" stop-color="#41D1FF"></stop><stop offset="100%" stop-color="#BD34FE"></stop></linearGradient><linearGradient id="IconifyId1813088fe1fbc01fb467" x1="43.376%" x2="50.316%" y1="2.242%" y2="89.03%"><stop offset="0%" stop-color="#FFEA83"></stop><stop offset="8.333%" stop-color="#FFDD35"></stop><stop offset="100%" stop-color="#FFA800"></stop></linearGradient></defs><path fill="url(#IconifyId1813088fe1fbc01fb466)" d="M255.153 37.938L134.897 252.976c-2.483 4.44-8.862 4.466-11.382.048L.875 37.958c-2.746-4.814 1.371-10.646 6.827-9.67l120.385 21.517a6.537 6.537 0 0 0 2.322-.004l117.867-21.483c5.438-.991 9.574 4.796 6.877 9.62Z"></path><path fill="url(#IconifyId1813088fe1fbc01fb467)" d="M185.432.063L96.44 17.501a3.268 3.268 0 0 0-2.634 3.014l-5.474 92.456a3.268 3.268 0 0 0 3.997 3.378l24.777-5.718c2.318-.535 4.413 1.507 3.936 3.838l-7.361 36.047c-.495 2.426 1.782 4.5 4.151 3.78l15.304-4.649c2.372-.72 4.652 1.36 4.15 3.788l-11.698 56.621c-.732 3.542 3.979 5.473 5.943 2.437l1.313-2.028l72.516-144.72c1.215-2.423-.88-5.186-3.54-4.672l-25.505 4.922c-2.396.462-4.435-1.77-3.759-4.114l16.646-57.705c.677-2.35-1.37-4.583-3.769-4.113Z"></path></svg>


--------------------------------------------------------------------------------
/bff/ui/src/App.vue:
--------------------------------------------------------------------------------
 1 | <script setup lang="ts">
 2 | import HelloWorld from './components/HelloWorld.vue'
 3 | </script>
 4 | 
 5 | <template>
 6 |   <div>
 7 |     <a href="https://vitejs.dev" target="_blank">
 8 |       <img src="/vite.svg" class="logo" alt="Vite logo" />
 9 |     </a>
10 |     <a href="https://vuejs.org/" target="_blank">
11 |       <img src="./assets/vue.svg" class="logo vue" alt="Vue logo" />
12 |     </a>
13 |   </div>
14 |   <HelloWorld />
15 | </template>
16 | 
17 | <style scoped>
18 | .logo {
19 |   height: 6em;
20 |   padding: 1.5em;
21 |   will-change: filter;
22 |   transition: filter 300ms;
23 | }
24 | .logo:hover {
25 |   filter: drop-shadow(0 0 2em #646cffaa);
26 | }
27 | .logo.vue:hover {
28 |   filter: drop-shadow(0 0 2em #42b883aa);
29 | }
30 | </style>
31 | 


--------------------------------------------------------------------------------
/bff/ui/src/assets/vue.svg:
--------------------------------------------------------------------------------
1 | <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" role="img" class="iconify iconify--logos" width="37.07" height="36" preserveAspectRatio="xMidYMid meet" viewBox="0 0 256 198"><path fill="#41B883" d="M204.8 0H256L128 220.8L0 0h97.92L128 51.2L157.44 0h47.36Z"></path><path fill="#41B883" d="m0 0l128 220.8L256 0h-51.2L128 132.48L50.56 0H0Z"></path><path fill="#35495E" d="M50.56 0L128 133.12L204.8 0h-47.36L128 51.2L97.92 0H50.56Z"></path></svg>


--------------------------------------------------------------------------------
/bff/ui/src/components/HelloWorld.vue:
--------------------------------------------------------------------------------
 1 | <script setup lang="ts">
 2 | import ResultsDisplay from './ResultsDisplay.vue'
 3 | import axios from 'axios';
 4 | import { ref, onMounted } from 'vue'
 5 | import { getCookie } from '../getCookie';
 6 | 
 7 | const isLoggedIn = ref<boolean>()
 8 | const currentUser = ref<any>()
 9 | const jsonResponse = ref<any>()
10 | 
11 | onMounted(() => {
12 |   getUserProfile()
13 | })
14 | 
15 | const axiosConfig = {
16 |   headers:{
17 |     'X-XSRF-TOKEN': getCookie('XSRF-RequestToken'),
18 |   }
19 | };
20 | 
21 | // request.headers.set('X-XSRF-TOKEN',  getCookie('XSRF-RequestToken'));
22 | 
23 | function getDirectApi() {
24 | 	axios.get(`${getCurrentHost()}/api/DirectApi`, axiosConfig)
25 | 		.then((response: any) => {
26 | 			jsonResponse.value =  response.data;
27 | 			return response.data;
28 | 		})
29 | 		.catch((error: any) => {
30 | 			alert(error);
31 | 		});
32 | }
33 | 
34 | function getUserProfile() {
35 | 	axios.get(`${getCurrentHost()}/api/User`)
36 | 	.then((response: any) => {
37 | 		console.log(response);
38 | 		jsonResponse.value  =  response.data;
39 | 		if(response.data.isAuthenticated){
40 | 			isLoggedIn.value  = true;
41 | 			currentUser.value  = response.data.claims[0].value
42 | 		}
43 | 
44 | 		return response.data;
45 | 	})
46 | 	.catch((error: any) => {
47 | 		alert(error);
48 | 	});
49 | }
50 | 
51 | function getCurrentHost() {
52 | 	const host = window.location.host;
53 | 	const url = `${window.location.protocol}//${host}`;
54 | 
55 | 	return url;
56 | }
57 | 
58 | </script>
59 | 
60 | <template>
61 |   <div class='home'>
62 | 	
63 | 	<a class="btn" href="api/Account/Login" v-if='!isLoggedIn'>Log in</a>
64 | 	
65 | 	<div v-if='isLoggedIn'>
66 | 		<form method="post" action="api/Account/Logout">
67 | 		  <button class="btn btn-link" type="submit">Sign out</button>
68 | 		</form>
69 | 
70 | 	</div>
71 | 	
72 | 	<button v-if='isLoggedIn' class='btn' @click='getUserProfile' >Get Profile data</button>
73 | 	<button v-if='isLoggedIn' class='btn' @click='getDirectApi' >Get API data</button>
74 | 	
75 | 	<ResultsDisplay v-if='isLoggedIn' 
76 | 		v-bind:currentUser='currentUser'
77 | 		v-bind:jsonResponse='jsonResponse' />
78 | 		
79 |   </div>
80 |   
81 |   <p class="read-the-docs">BFF using ASP.NET Core and Vue.js</p>
82 | </template>
83 | 
84 | <style scoped>
85 | .read-the-docs {
86 |   color: #888;
87 | }
88 | </style>
89 | 


--------------------------------------------------------------------------------
/bff/ui/src/components/ResultsDisplay.vue:
--------------------------------------------------------------------------------
 1 | <script setup lang="ts">
 2 | 
 3 | defineProps<{ currentUser: string, jsonResponse:any }>()
 4 | 
 5 | </script>
 6 | 
 7 | <template>
 8 |   <div class='home'>
 9 | 	<p>User: {{ currentUser }}</p>
10 | 	
11 | 	<p>{{ jsonResponse }}</p>
12 |   </div>
13 | </template>
14 | 
15 | <style scoped>
16 | .read-the-docs {
17 |   color: #888;
18 | }
19 | </style>
20 | 


--------------------------------------------------------------------------------
/bff/ui/src/getCookie.ts:
--------------------------------------------------------------------------------
 1 | export const getCookie = (cookieName: string) => {
 2 |   const name = `${cookieName}=`;
 3 |   const decodedCookie = decodeURIComponent(document.cookie);
 4 |   const ca = decodedCookie.split(";");
 5 |   for (let i = 0; i < ca.length; i += 1) {
 6 |     let c = ca[i];
 7 |     while (c.charAt(0) === " ") {
 8 |       c = c.substring(1);
 9 |     }
10 |     if (c.indexOf(name) === 0) {
11 |       return c.substring(name.length, c.length);
12 |     }
13 |   }
14 |   return "";
15 | };
16 | 


--------------------------------------------------------------------------------
/bff/ui/src/main.ts:
--------------------------------------------------------------------------------
1 | import { createApp } from 'vue'
2 | import './style.css'
3 | import App from './App.vue'
4 | 
5 | createApp(App).mount('#app')
6 | 


--------------------------------------------------------------------------------
/bff/ui/src/style.css:
--------------------------------------------------------------------------------
 1 | :root {
 2 |   font-family: Inter, system-ui, Avenir, Helvetica, Arial, sans-serif;
 3 |   line-height: 1.5;
 4 |   font-weight: 400;
 5 | 
 6 |   color-scheme: light dark;
 7 |   color: rgba(255, 255, 255, 0.87);
 8 |   background-color: #242424;
 9 | 
10 |   font-synthesis: none;
11 |   text-rendering: optimizeLegibility;
12 |   -webkit-font-smoothing: antialiased;
13 |   -moz-osx-font-smoothing: grayscale;
14 |   -webkit-text-size-adjust: 100%;
15 | }
16 | 
17 | a {
18 |   font-weight: 500;
19 |   color: #646cff;
20 |   text-decoration: inherit;
21 | }
22 | a:hover {
23 |   color: #535bf2;
24 | }
25 | 
26 | body {
27 |   margin: 0;
28 |   display: flex;
29 |   place-items: center;
30 |   min-width: 320px;
31 |   min-height: 100vh;
32 | }
33 | 
34 | h1 {
35 |   font-size: 3.2em;
36 |   line-height: 1.1;
37 | }
38 | 
39 | button {
40 |   border-radius: 8px;
41 |   border: 1px solid transparent;
42 |   padding: 0.6em 1.2em;
43 |   font-size: 1em;
44 |   font-weight: 500;
45 |   font-family: inherit;
46 |   background-color: #1a1a1a;
47 |   cursor: pointer;
48 |   transition: border-color 0.25s;
49 | }
50 | button:hover {
51 |   border-color: #646cff;
52 | }
53 | button:focus,
54 | button:focus-visible {
55 |   outline: 4px auto -webkit-focus-ring-color;
56 | }
57 | 
58 | .card {
59 |   padding: 2em;
60 | }
61 | 
62 | #app {
63 |   max-width: 1280px;
64 |   margin: 0 auto;
65 |   padding: 2rem;
66 |   text-align: center;
67 | }
68 | 
69 | @media (prefers-color-scheme: light) {
70 |   :root {
71 |     color: #213547;
72 |     background-color: #ffffff;
73 |   }
74 |   a:hover {
75 |     color: #747bff;
76 |   }
77 |   button {
78 |     background-color: #f9f9f9;
79 |   }
80 | }
81 | 


--------------------------------------------------------------------------------
/bff/ui/src/vite-env.d.ts:
--------------------------------------------------------------------------------
1 | /// <reference types="vite/client" />
2 | 


--------------------------------------------------------------------------------
/bff/ui/tsconfig.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "compilerOptions": {
 3 |     "target": "ES2020",
 4 |     "useDefineForClassFields": true,
 5 |     "module": "ESNext",
 6 |     "lib": ["ES2020", "DOM", "DOM.Iterable"],
 7 |     "skipLibCheck": true,
 8 | 
 9 |     /* Bundler mode */
10 |     "moduleResolution": "bundler",
11 |     "allowImportingTsExtensions": true,
12 |     "resolveJsonModule": true,
13 |     "isolatedModules": true,
14 |     "noEmit": true,
15 |     "jsx": "preserve",
16 | 
17 |     /* Linting */
18 |     "strict": true,
19 |     "noUnusedLocals": true,
20 |     "noUnusedParameters": true,
21 |     "noFallthroughCasesInSwitch": true
22 |   },
23 |   "include": ["src/**/*.ts", "src/**/*.d.ts", "src/**/*.tsx", "src/**/*.vue"],
24 |   "references": [{ "path": "./tsconfig.node.json" }]
25 | }
26 | 


--------------------------------------------------------------------------------
/bff/ui/tsconfig.node.json:
--------------------------------------------------------------------------------
 1 | {
 2 |   "compilerOptions": {
 3 |     "composite": true,
 4 |     "skipLibCheck": true,
 5 |     "module": "ESNext",
 6 |     "moduleResolution": "bundler",
 7 |     "allowSyntheticDefaultImports": true
 8 |   },
 9 |   "include": ["vite.config.ts"]
10 | }
11 | 


--------------------------------------------------------------------------------
/bff/ui/vite.config.ts:
--------------------------------------------------------------------------------
 1 | import { defineConfig } from 'vite'
 2 | import vue from '@vitejs/plugin-vue'
 3 | import fs from 'fs';
 4 | 
 5 | // https://vitejs.dev/config/
 6 | export default defineConfig({
 7 |   plugins: [vue()],
 8 |   server: {
 9 |     https: {
10 | 		key: fs.readFileSync('./certs/dev_localhost.key'),
11 | 		cert: fs.readFileSync('./certs/dev_localhost.pem'),
12 | 	},
13 |     port: 4202,
14 |     strictPort: true, // exit if port is in use
15 |     hmr: {
16 |       clientPort: 4202, // point vite websocket connection to vite directly, circumventing .net proxy
17 |     },
18 |   },
19 |   optimizeDeps: {
20 |     force: true,
21 |   },
22 |   build: {
23 |     outDir: "../server/wwwroot",
24 |     emptyOutDir: true
25 |   },
26 | })
27 | 


--------------------------------------------------------------------------------
/images/.$vue-aspnetcore-bff-yarp-dev.drawio.png.bkp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/damienbod/bff-aspnetcore-oidc-vuejs/49526787713d1ffd9df1ee3714bb69201bac4b5b/images/.$vue-aspnetcore-bff-yarp-dev.drawio.png.bkp


--------------------------------------------------------------------------------
/images/.$vue-aspnetcore-bff.drawio.png.bkp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/damienbod/bff-aspnetcore-oidc-vuejs/49526787713d1ffd9df1ee3714bb69201bac4b5b/images/.$vue-aspnetcore-bff.drawio.png.bkp


--------------------------------------------------------------------------------
/images/vue-aspnetcore-bff-02.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/damienbod/bff-aspnetcore-oidc-vuejs/49526787713d1ffd9df1ee3714bb69201bac4b5b/images/vue-aspnetcore-bff-02.png


--------------------------------------------------------------------------------
/images/vue-aspnetcore-bff-yarp-dev.drawio.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/damienbod/bff-aspnetcore-oidc-vuejs/49526787713d1ffd9df1ee3714bb69201bac4b5b/images/vue-aspnetcore-bff-yarp-dev.drawio.png


--------------------------------------------------------------------------------
/images/vue-aspnetcore-bff.drawio.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/damienbod/bff-aspnetcore-oidc-vuejs/49526787713d1ffd9df1ee3714bb69201bac4b5b/images/vue-aspnetcore-bff.drawio.png


--------------------------------------------------------------------------------