PM-20532 - Update ProfileService.cs to add docs + add send client handling.

2025-06-10 13:10:31 -05:00 · 2025-05-29 17:10:04 -04:00 · 2025-05-29 17:10:04 -04:00 · 4b870dab0b
commit 4b870dab0b
parent da4f21d976
1 changed files with 26 additions and 3 deletions
--- a/src/Identity/IdentityServer/ProfileService.cs
+++ b/src/Identity/IdentityServer/ProfileService.cs
@ -1,6 +1,7 @@
 using System.Security.Claims;
 using Bit.Core.AdminConsole.Repositories;
 using Bit.Core.Context;
+using Bit.Core.Enums;
 using Bit.Core.Identity;
 using Bit.Core.Repositories;
 using Bit.Core.Services;
@ -35,10 +36,23 @@ public class ProfileService : IProfileService
        _currentContext = currentContext;
    }

-    // TODO: this will be called for the SendAccessGrantValidator
    public async Task GetProfileDataAsync(ProfileDataRequestContext context)
    {
        var existingClaims = context.Subject.Claims;
+
+        if (context.Client.ClientId == BitwardenClient.Send)
+        {
+            // preserve all claims that were already on context.Subject
+            // which includes the ones added by the SendAccessGrantValidator
+            context.IssuedClaims.AddRange(existingClaims);
+            return;
+        }
+
+        // Whenever IdentityServer issues a new access token or services a UserInfo request, it calls
+        // GetProfileDataAsync to determine which claims to include in the token or response.
+        // In normal user identity scenarios, we have to look up the user to get their claims and update
+        // the issued claims collection as claim info can have changed since the last time the user logged in or the
+        // last time the token was issued.
        var newClaims = new List<Claim>();

        var user = await _userService.GetUserByPrincipalAsync(context.Subject);
@ -58,9 +72,12 @@ public class ProfileService : IProfileService
            }
        }

-        // filter out any of the new claims
        var existingClaimsToKeep = existingClaims
-            .Where(c => !c.Type.StartsWith("org") &&
+            .Where(c =>
+                // Drop any org claims
+                !c.Type.StartsWith("org") &&
+                // If we have no new claims, then keep the existing claims
+                // If we have new claims, then keep the existing claim if it does not match a new claim type
                (newClaims.Count == 0 || !newClaims.Any(nc => nc.Type == c.Type)))
            .ToList();

@ -75,6 +92,12 @@ public class ProfileService : IProfileService

    public async Task IsActiveAsync(IsActiveContext context)
    {
+        if (context.Client.ClientId == BitwardenClient.Send)
+        {
+            context.IsActive = true;
+            return;
+        }
+
        // We add the security stamp claim to the persisted grant when we issue the refresh token.
        // IdentityServer will add this claim to the subject, and here we evaluate whether the security stamp that
        // was persisted matches the current security stamp of the user. If it does not match, then the user has performed