remove deprecated jwt bearer authentication method

2025-07-04 01:22:50 -05:00 · 2017-06-06 23:19:42 -04:00
parent 811bbbfe0a
commit d8c0994ed3
16 changed files with 29 additions and 624 deletions
--- a/src/Core/IdentityServer/ApiResources.cs
+++ b/src/Core/IdentityServer/ApiResources.cs
@ -1,4 +1,5 @@
-using IdentityServer4.Models;
+using IdentityModel;
+using IdentityServer4.Models;
 using System.Collections.Generic;
 using System.Security.Claims;

@ -11,13 +12,9 @@ namespace Bit.Core.IdentityServer
            return new List<ApiResource>
            {
                new ApiResource("api", new string[] {
-                    ClaimTypes.AuthenticationMethod,
-                    ClaimTypes.NameIdentifier,
-                    ClaimTypes.Email,
-                    "securitystamp",
-
-                    "name",
-                    "email",
+                    JwtClaimTypes.Name,
+                    JwtClaimTypes.Email,
+                    JwtClaimTypes.EmailVerified,
                    "sstamp", // security stamp
                    "plan",
                    "device",
--- a/src/Core/IdentityServer/ProfileService.cs
+++ b/src/Core/IdentityServer/ProfileService.cs
@ -9,6 +9,7 @@ using Microsoft.AspNetCore.Builder;
 using System.Linq;
 using Microsoft.Extensions.Options;
 using System;
+using IdentityModel;

 namespace Bit.Core.IdentityServer
 {
@ -42,43 +43,40 @@ namespace Bit.Core.IdentityServer
                newClaims.AddRange(new List<Claim>
                {
                    new Claim("plan", "0"), // free plan hard coded for now
-                    new Claim("sstamp", user.SecurityStamp),
-                    new Claim("email", user.Email),
-
-                    // Deprecated claims for backwards compatability
-                    new Claim(_identityOptions.ClaimsIdentity.UserNameClaimType, user.Email),
+                    new Claim(JwtClaimTypes.Email, user.Email),
+                    new Claim(JwtClaimTypes.EmailVerified, user.EmailVerified ? "true" : "false"),
                    new Claim(_identityOptions.ClaimsIdentity.SecurityStampClaimType, user.SecurityStamp)
                });

                if(!string.IsNullOrWhiteSpace(user.Name))
                {
-                    newClaims.Add(new Claim("name", user.Name));
+                    newClaims.Add(new Claim(JwtClaimTypes.Name, user.Name));
                }

                // Orgs that this user belongs to
                var orgs = await _organizationUserRepository.GetManyByUserAsync(user.Id);
                if(orgs.Any())
                {
-                    var groupedOrgs = orgs.Where(o => o.Status == Core.Enums.OrganizationUserStatusType.Confirmed)
+                    var groupedOrgs = orgs.Where(o => o.Status == Enums.OrganizationUserStatusType.Confirmed)
                        .GroupBy(o => o.Type);

                    foreach(var group in groupedOrgs)
                    {
                        switch(group.Key)
                        {
-                            case Core.Enums.OrganizationUserType.Owner:
+                            case Enums.OrganizationUserType.Owner:
                                foreach(var org in group)
                                {
                                    newClaims.Add(new Claim("orgowner", org.OrganizationId.ToString()));
                                }
                                break;
-                            case Core.Enums.OrganizationUserType.Admin:
+                            case Enums.OrganizationUserType.Admin:
                                foreach(var org in group)
                                {
                                    newClaims.Add(new Claim("orgadmin", org.OrganizationId.ToString()));
                                }
                                break;
-                            case Core.Enums.OrganizationUserType.User:
+                            case Enums.OrganizationUserType.User:
                                foreach(var org in group)
                                {
                                    newClaims.Add(new Claim("orguser", org.OrganizationId.ToString()));
--- a/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs
+++ b/src/Core/IdentityServer/ResourceOwnerPasswordValidator.cs
@ -1,19 +1,12 @@
 using Bit.Core.Models.Api;
 using Bit.Core.Models.Table;
 using Bit.Core.Enums;
-using Bit.Core.Identity;
 using Bit.Core.Repositories;
 using IdentityServer4.Models;
 using IdentityServer4.Validation;
-using Microsoft.AspNetCore.Authentication;
-using Microsoft.AspNetCore.Builder;
-using Microsoft.AspNetCore.Http.Authentication;
 using Microsoft.AspNetCore.Identity;
-using Microsoft.Extensions.Options;
-using Microsoft.IdentityModel.Tokens;
 using System;
 using System.Collections.Generic;
-using System.Linq;
 using System.Security.Claims;
 using System.Threading.Tasks;
 using Bit.Core.Services;
@ -23,57 +16,26 @@ namespace Bit.Core.IdentityServer
    public class ResourceOwnerPasswordValidator : IResourceOwnerPasswordValidator
    {
        private UserManager<User> _userManager;
-        private IdentityOptions _identityOptions;
-        private JwtBearerOptions _jwtBearerOptions;
-        private JwtBearerIdentityOptions _jwtBearerIdentityOptions;
        private readonly IDeviceRepository _deviceRepository;
        private readonly IDeviceService _deviceService;

        public ResourceOwnerPasswordValidator(
            UserManager<User> userManager,
-            IOptions<IdentityOptions> identityOptionsAccessor,
-            IOptions<JwtBearerIdentityOptions> jwtIdentityOptionsAccessor,
            IDeviceRepository deviceRepository,
            IDeviceService deviceService)
        {
            _userManager = userManager;
-            _identityOptions = identityOptionsAccessor?.Value ?? new IdentityOptions();
-            _jwtBearerIdentityOptions = jwtIdentityOptionsAccessor?.Value;
-            _jwtBearerOptions = Identity.JwtBearerAppBuilderExtensions.BuildJwtBearerOptions(_jwtBearerIdentityOptions);
            _deviceRepository = deviceRepository;
            _deviceService = deviceService;
        }

        public async Task ValidateAsync(ResourceOwnerPasswordValidationContext context)
        {
-            var oldAuthBearer = context.Request.Raw["OldAuthBearer"]?.ToString();
            var twoFactorToken = context.Request.Raw["TwoFactorToken"]?.ToString();
            var twoFactorProvider = context.Request.Raw["TwoFactorProvider"]?.ToString();
            var twoFactorRequest = !string.IsNullOrWhiteSpace(twoFactorToken) && !string.IsNullOrWhiteSpace(twoFactorProvider);

-            if(!string.IsNullOrWhiteSpace(oldAuthBearer) && _jwtBearerOptions != null)
-            {
-                // support transferring the old auth bearer token
-                var ticket = ValidateOldAuthBearer(oldAuthBearer);
-                if(ticket != null && ticket.Principal != null)
-                {
-                    var idClaim = ticket.Principal.Claims
-                        .FirstOrDefault(c => c.Type == _identityOptions.ClaimsIdentity.UserIdClaimType);
-                    var securityTokenClaim = ticket.Principal.Claims
-                        .FirstOrDefault(c => c.Type == _identityOptions.ClaimsIdentity.SecurityStampClaimType);
-                    if(idClaim != null && securityTokenClaim != null)
-                    {
-                        var user = await _userManager.FindByIdAsync(idClaim.Value);
-                        if(user != null && user.SecurityStamp == securityTokenClaim.Value)
-                        {
-                            var device = await SaveDeviceAsync(user, context);
-                            BuildSuccessResult(user, context, device);
-                            return;
-                        }
-                    }
-                }
-            }
-            else if(!string.IsNullOrWhiteSpace(context.UserName))
+            if(!string.IsNullOrWhiteSpace(context.UserName))
            {
                var user = await _userManager.FindByEmailAsync(context.UserName.ToLowerInvariant());
                if(user != null)
@ -110,12 +72,7 @@ namespace Bit.Core.IdentityServer

        private void BuildSuccessResult(User user, ResourceOwnerPasswordValidationContext context, Device device)
        {
-            var claims = new List<Claim>
-            {
-                // Deprecated claims for backwards compatibility
-                new Claim(ClaimTypes.AuthenticationMethod, "Application"),
-                new Claim(_identityOptions.ClaimsIdentity.UserIdClaimType, user.Id.ToString())
-            };
+            var claims = new List<Claim>();

            if(device != null)
            {
@ -164,34 +121,6 @@ namespace Bit.Core.IdentityServer
                }});
        }

-        private AuthenticationTicket ValidateOldAuthBearer(string token)
-        {
-            SecurityToken validatedToken;
-            foreach(var validator in _jwtBearerOptions.SecurityTokenValidators)
-            {
-                if(validator.CanReadToken(token))
-                {
-                    ClaimsPrincipal principal;
-                    try
-                    {
-                        principal = validator.ValidateToken(token,
-                            _jwtBearerOptions.TokenValidationParameters, out validatedToken);
-                    }
-                    catch
-                    {
-                        continue;
-                    }
-
-                    var ticket = new AuthenticationTicket(principal, new AuthenticationProperties(),
-                        _jwtBearerOptions.AuthenticationScheme);
-
-                    return ticket;
-                }
-            }
-
-            return null;
-        }
-
        private async Task<bool> TwoFactorRequiredAsync(User user)
        {
            return _userManager.SupportsUserTwoFactor &&