internal identity authorization

2025-07-03 17:12:49 -05:00 · 2018-08-15 18:43:26 -04:00
parent 25899fd326
commit ff01ce5ca7
11 changed files with 119 additions and 56 deletions
--- a/src/Core/IdentityServer/ClientStore.cs
+++ b/src/Core/IdentityServer/ClientStore.cs
@ -6,6 +6,7 @@ using Bit.Core.Repositories;
 using System;
 using System.Security.Claims;
 using IdentityModel;
+using Bit.Core.Utilities;

 namespace Bit.Core.IdentityServer
 {
@ -14,15 +15,19 @@ namespace Bit.Core.IdentityServer
        private static IDictionary<string, Client> _apiClients = StaticClients.GetApiClients();

        private readonly IInstallationRepository _installationRepository;
+        private readonly GlobalSettings _globalSettings;
+
        public ClientStore(
-            IInstallationRepository installationRepository)
+            IInstallationRepository installationRepository,
+            GlobalSettings globalSettings)
        {
            _installationRepository = installationRepository;
+            _globalSettings = globalSettings;
        }

        public async Task<Client> FindClientByIdAsync(string clientId)
        {
-            if(clientId.StartsWith("installation."))
+            if(!_globalSettings.SelfHosted && clientId.StartsWith("installation."))
            {
                var idParts = clientId.Split('.');
                if(idParts.Length > 1 && Guid.TryParse(idParts[1], out Guid id))
@ -44,6 +49,29 @@ namespace Bit.Core.IdentityServer
                    }
                }
            }
+            else if(_globalSettings.SelfHosted && clientId.StartsWith("internal.") &&
+                CoreHelpers.SettingHasValue(_globalSettings.InternalIdentityKey))
+            {
+                var idParts = clientId.Split('.');
+                if(idParts.Length > 1)
+                {
+                    var id = idParts[1];
+                    if(!string.IsNullOrWhiteSpace(id))
+                    {
+                        return new Client
+                        {
+                            ClientId = $"internal.{id}",
+                            RequireClientSecret = true,
+                            ClientSecrets = { new Secret(_globalSettings.InternalIdentityKey.Sha256()) },
+                            AllowedScopes = new string[] { "internal" },
+                            AllowedGrantTypes = GrantTypes.ClientCredentials,
+                            AccessTokenLifetime = 3600 * 24,
+                            Enabled = true,
+                            Claims = new List<Claim> { new Claim(JwtClaimTypes.Subject, id) }
+                        };
+                    }
+                }
+            }

            return _apiClients.ContainsKey(clientId) ? _apiClients[clientId] : null;
        }