mirror of
https://github.com/bitwarden/server.git
synced 2025-04-06 21:48:12 -05:00
validate old auth bearer tokens so that we can generate new identity ones
This commit is contained in:
Kyle Spearrin
parent
54d065c3d9
commit
220243c8b4
@ -1,14 +1,21 @@
|
|||||||
using Bit.Api.Models.Response;
|
using Bit.Api.Models.Response;
|
||||||
using Bit.Core.Domains;
|
using Bit.Core.Domains;
|
||||||
using Bit.Core.Enums;
|
using Bit.Core.Enums;
|
||||||
using Bit.Core.Exceptions;
|
using Bit.Core.Identity;
|
||||||
using Bit.Core.Repositories;
|
using Bit.Core.Repositories;
|
||||||
using IdentityServer4.Models;
|
using IdentityServer4.Models;
|
||||||
using IdentityServer4.Validation;
|
using IdentityServer4.Validation;
|
||||||
|
using Microsoft.AspNetCore.Authentication;
|
||||||
using Microsoft.AspNetCore.Builder;
|
using Microsoft.AspNetCore.Builder;
|
||||||
|
using Microsoft.AspNetCore.Http;
|
||||||
|
using Microsoft.AspNetCore.Http.Authentication;
|
||||||
using Microsoft.AspNetCore.Identity;
|
using Microsoft.AspNetCore.Identity;
|
||||||
|
using Microsoft.Extensions.DependencyInjection;
|
||||||
using Microsoft.Extensions.Options;
|
using Microsoft.Extensions.Options;
|
||||||
|
using Microsoft.IdentityModel.Tokens;
|
||||||
using System;
|
using System;
|
||||||
|
using System.Collections.Generic;
|
||||||
|
using System.Linq;
|
||||||
using System.Security.Claims;
|
using System.Security.Claims;
|
||||||
using System.Threading.Tasks;
|
using System.Threading.Tasks;
|
||||||
|
|
||||||
@ -16,64 +23,131 @@ namespace Bit.Api.IdentityServer
|
|||||||
{
|
{
|
||||||
public class ResourceOwnerPasswordValidator : IResourceOwnerPasswordValidator
|
public class ResourceOwnerPasswordValidator : IResourceOwnerPasswordValidator
|
||||||
{
|
{
|
||||||
private readonly UserManager<User> _userManager;
|
private UserManager<User> _userManager;
|
||||||
private readonly IdentityOptions _identityOptions;
|
private IdentityOptions _identityOptions;
|
||||||
|
private JwtBearerOptions _jwtBearerOptions;
|
||||||
|
private JwtBearerIdentityOptions _jwtBearerIdentityOptions;
|
||||||
private readonly IDeviceRepository _deviceRepository;
|
private readonly IDeviceRepository _deviceRepository;
|
||||||
|
private readonly IHttpContextAccessor _httpContextAccessor;
|
||||||
|
|
||||||
public ResourceOwnerPasswordValidator(
|
public ResourceOwnerPasswordValidator(
|
||||||
UserManager<User> userManager,
|
IDeviceRepository deviceRepository,
|
||||||
IOptions<IdentityOptions> optionsAccessor,
|
IHttpContextAccessor httpContextAccessor)
|
||||||
IDeviceRepository deviceRepository)
|
|
||||||
{
|
{
|
||||||
_userManager = userManager;
|
|
||||||
_identityOptions = optionsAccessor?.Value ?? new IdentityOptions();
|
|
||||||
_deviceRepository = deviceRepository;
|
_deviceRepository = deviceRepository;
|
||||||
|
_httpContextAccessor = httpContextAccessor;
|
||||||
}
|
}
|
||||||
|
|
||||||
public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
|
public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
|
||||||
{
|
{
|
||||||
|
Init();
|
||||||
|
|
||||||
|
var oldAuthBearer = context.Request.Raw["oldAuthBearer"]?.ToString();
|
||||||
var twoFactorCode = context.Request.Raw["twoFactorCode"]?.ToString();
|
var twoFactorCode = context.Request.Raw["twoFactorCode"]?.ToString();
|
||||||
var twoFactorProvider = context.Request.Raw["twoFactorProvider"]?.ToString();
|
var twoFactorProvider = context.Request.Raw["twoFactorProvider"]?.ToString();
|
||||||
var twoFactorRequest = !string.IsNullOrWhiteSpace(twoFactorCode) &&
|
var twoFactorRequest = !string.IsNullOrWhiteSpace(twoFactorCode) &&
|
||||||
!string.IsNullOrWhiteSpace(twoFactorProvider);
|
!string.IsNullOrWhiteSpace(twoFactorProvider);
|
||||||
|
|
||||||
var user = await _userManager.FindByEmailAsync(context.UserName.ToLowerInvariant());
|
if(!string.IsNullOrWhiteSpace(oldAuthBearer) && _jwtBearerOptions != null)
|
||||||
if(user != null)
|
|
||||||
{
|
{
|
||||||
if(await _userManager.CheckPasswordAsync(user, context.Password))
|
// support transferring the old auth bearer token
|
||||||
|
var ticket = ValidateOldAuthBearer(oldAuthBearer);
|
||||||
|
if(ticket != null && ticket.Principal != null)
|
||||||
{
|
{
|
||||||
if(!twoFactorRequest && await TwoFactorRequiredAsync(user))
|
var idClaim = ticket.Principal.Claims.FirstOrDefault(c => c.Type == _identityOptions.ClaimsIdentity.UserIdClaimType);
|
||||||
|
var securityTokenClaim = ticket.Principal.Claims.FirstOrDefault(c => c.Type == _identityOptions.ClaimsIdentity.SecurityStampClaimType);
|
||||||
|
if(idClaim != null && securityTokenClaim != null)
|
||||||
{
|
{
|
||||||
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Two factor code required.",
|
var user = await _userManager.FindByIdAsync(idClaim.Value);
|
||||||
new System.Collections.Generic.Dictionary<string, object> { { "TwoFactorRequired", true } });
|
if(user != null && user.SecurityStamp == securityTokenClaim.Value)
|
||||||
return;
|
{
|
||||||
|
BuildSuccessResult(user, context);
|
||||||
|
return;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
if(!twoFactorRequest || await _userManager.VerifyTwoFactorTokenAsync(user, twoFactorProvider, twoFactorCode))
|
}
|
||||||
|
else if(!string.IsNullOrWhiteSpace(context.UserName))
|
||||||
|
{
|
||||||
|
var user = await _userManager.FindByEmailAsync(context.UserName.ToLowerInvariant());
|
||||||
|
if(user != null)
|
||||||
|
{
|
||||||
|
if(await _userManager.CheckPasswordAsync(user, context.Password))
|
||||||
{
|
{
|
||||||
await SaveDeviceAsync(user, context);
|
if(!twoFactorRequest && await TwoFactorRequiredAsync(user))
|
||||||
|
{
|
||||||
|
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Two factor code required.",
|
||||||
|
new Dictionary<string, object> { { "TwoFactorRequired", true } });
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
context.Result = new GrantValidationResult(user.Id.ToString(), "Application", identityProvider: "bitwarden",
|
if(!twoFactorRequest || await _userManager.VerifyTwoFactorTokenAsync(user, twoFactorProvider, twoFactorCode))
|
||||||
claims: new Claim[] {
|
{
|
||||||
// Deprecated claims for backwards compatability
|
await SaveDeviceAsync(user, context);
|
||||||
new Claim(ClaimTypes.AuthenticationMethod, "Application"),
|
BuildSuccessResult(user, context);
|
||||||
new Claim(_identityOptions.ClaimsIdentity.UserIdClaimType, user.Id.ToString()),
|
return;
|
||||||
new Claim(_identityOptions.ClaimsIdentity.UserNameClaimType, user.Email.ToString()),
|
}
|
||||||
new Claim(_identityOptions.ClaimsIdentity.SecurityStampClaimType, user.SecurityStamp)
|
|
||||||
});
|
|
||||||
return;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
await Task.Delay(2000);
|
await Task.Delay(2000);
|
||||||
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, customResponse:
|
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, customResponse:
|
||||||
new System.Collections.Generic.Dictionary<string, object> { {
|
new Dictionary<string, object> { {
|
||||||
"ErrorModel", new ErrorResponseModel(twoFactorRequest ?
|
"ErrorModel", new ErrorResponseModel(twoFactorRequest ?
|
||||||
"Code is not correct. Try again." : "Username or password is incorrect. Try again.")
|
"Code is not correct. Try again." : "Username or password is incorrect. Try again.")
|
||||||
} });
|
} });
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private void Init()
|
||||||
|
{
|
||||||
|
var httpContext = _httpContextAccessor.HttpContext;
|
||||||
|
_userManager = httpContext.RequestServices.GetRequiredService<UserManager<User>>();
|
||||||
|
_identityOptions = httpContext.RequestServices.GetRequiredService<IOptions<IdentityOptions>>()?.Value ?? new IdentityOptions();
|
||||||
|
_jwtBearerOptions = httpContext.RequestServices.GetRequiredService<IOptions<JwtBearerOptions>>()?.Value;
|
||||||
|
_jwtBearerIdentityOptions = httpContext.RequestServices.GetRequiredService<IOptions<JwtBearerIdentityOptions>>()?.Value;
|
||||||
|
}
|
||||||
|
|
||||||
|
private void BuildSuccessResult(User user, ResourceOwnerPasswordValidationContext context)
|
||||||
|
{
|
||||||
|
context.Result = new GrantValidationResult(user.Id.ToString(), "Application", identityProvider: "bitwarden",
|
||||||
|
claims: new Claim[] {
|
||||||
|
// Deprecated claims for backwards compatability
|
||||||
|
new Claim(ClaimTypes.AuthenticationMethod, "Application"),
|
||||||
|
new Claim(_identityOptions.ClaimsIdentity.UserIdClaimType, user.Id.ToString()),
|
||||||
|
new Claim(_identityOptions.ClaimsIdentity.UserNameClaimType, user.Email.ToString()),
|
||||||
|
new Claim(_identityOptions.ClaimsIdentity.SecurityStampClaimType, user.SecurityStamp)
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
private AuthenticationTicket ValidateOldAuthBearer(string token)
|
||||||
|
{
|
||||||
|
SecurityToken validatedToken;
|
||||||
|
foreach(var validator in _jwtBearerOptions.SecurityTokenValidators)
|
||||||
|
{
|
||||||
|
if(validator.CanReadToken(token))
|
||||||
|
{
|
||||||
|
ClaimsPrincipal principal;
|
||||||
|
try
|
||||||
|
{
|
||||||
|
principal = validator.ValidateToken(token,
|
||||||
|
_jwtBearerOptions.TokenValidationParameters, out validatedToken);
|
||||||
|
}
|
||||||
|
catch
|
||||||
|
{
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
var ticket = new AuthenticationTicket(principal, new AuthenticationProperties(),
|
||||||
|
_jwtBearerOptions.AuthenticationScheme);
|
||||||
|
|
||||||
|
return ticket;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
private async Task<bool> TwoFactorRequiredAsync(User user)
|
private async Task<bool> TwoFactorRequiredAsync(User user)
|
||||||
{
|
{
|
||||||
return _userManager.SupportsUserTwoFactor &&
|
return _userManager.SupportsUserTwoFactor &&
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user