mirror of
https://github.com/bitwarden/server
synced 2025-12-24 12:13:17 +00:00
8a67aafbe5
feat: add SSO request validation and organization identifier lookup - Implement SsoRequestValidator to validate SSO requirements - Add UserSsoOrganizationIdentifierQuery to fetch organization identifiers - Create SsoOrganizationIdentifier custom response for SSO redirects - Add feature flag (RedirectOnSsoRequired) for gradual rollout - Register validators and queries in dependency injection - Create RequestValidationConstants to reduce magic strings - Add comprehensive test coverage for validation logic - Update BaseRequestValidator to consume SsoRequestValidator
171 lines
6.7 KiB
C#
171 lines
6.7 KiB
C#
// FIXME: Update this file to be null safe and then delete the line below
|
|
#nullable disable
|
|
|
|
using System.Security.Claims;
|
|
using System.Text.Json;
|
|
using Bit.Core;
|
|
using Bit.Core.AdminConsole.OrganizationFeatures.Policies;
|
|
using Bit.Core.AdminConsole.Services;
|
|
using Bit.Core.Auth.Enums;
|
|
using Bit.Core.Auth.Models.Business.Tokenables;
|
|
using Bit.Core.Auth.Repositories;
|
|
using Bit.Core.Auth.UserFeatures.WebAuthnLogin;
|
|
using Bit.Core.Context;
|
|
using Bit.Core.Entities;
|
|
using Bit.Core.KeyManagement.Queries.Interfaces;
|
|
using Bit.Core.Repositories;
|
|
using Bit.Core.Services;
|
|
using Bit.Core.Settings;
|
|
using Bit.Core.Tokens;
|
|
using Duende.IdentityServer.Models;
|
|
using Duende.IdentityServer.Validation;
|
|
using Fido2NetLib;
|
|
using Microsoft.AspNetCore.Identity;
|
|
|
|
namespace Bit.Identity.IdentityServer.RequestValidators;
|
|
|
|
public class WebAuthnGrantValidator : BaseRequestValidator<ExtensionGrantValidationContext>, IExtensionGrantValidator
|
|
{
|
|
public const string GrantType = "webauthn";
|
|
|
|
private readonly IDataProtectorTokenFactory<WebAuthnLoginAssertionOptionsTokenable> _assertionOptionsDataProtector;
|
|
private readonly IAssertWebAuthnLoginCredentialCommand _assertWebAuthnLoginCredentialCommand;
|
|
private readonly IDeviceValidator _deviceValidator;
|
|
|
|
public WebAuthnGrantValidator(
|
|
UserManager<User> userManager,
|
|
IUserService userService,
|
|
IEventService eventService,
|
|
IDeviceValidator deviceValidator,
|
|
ITwoFactorAuthenticationValidator twoFactorAuthenticationValidator,
|
|
ISsoRequestValidator ssoRequestValidator,
|
|
IOrganizationUserRepository organizationUserRepository,
|
|
ILogger<CustomTokenRequestValidator> logger,
|
|
ICurrentContext currentContext,
|
|
GlobalSettings globalSettings,
|
|
ISsoConfigRepository ssoConfigRepository,
|
|
IUserRepository userRepository,
|
|
IPolicyService policyService,
|
|
IDataProtectorTokenFactory<WebAuthnLoginAssertionOptionsTokenable> assertionOptionsDataProtector,
|
|
IFeatureService featureService,
|
|
IUserDecryptionOptionsBuilder userDecryptionOptionsBuilder,
|
|
IAssertWebAuthnLoginCredentialCommand assertWebAuthnLoginCredentialCommand,
|
|
IPolicyRequirementQuery policyRequirementQuery,
|
|
IAuthRequestRepository authRequestRepository,
|
|
IMailService mailService,
|
|
IUserAccountKeysQuery userAccountKeysQuery)
|
|
: base(
|
|
userManager,
|
|
userService,
|
|
eventService,
|
|
deviceValidator,
|
|
twoFactorAuthenticationValidator,
|
|
ssoRequestValidator,
|
|
organizationUserRepository,
|
|
logger,
|
|
currentContext,
|
|
globalSettings,
|
|
userRepository,
|
|
policyService,
|
|
featureService,
|
|
ssoConfigRepository,
|
|
userDecryptionOptionsBuilder,
|
|
policyRequirementQuery,
|
|
authRequestRepository,
|
|
mailService,
|
|
userAccountKeysQuery)
|
|
{
|
|
_assertionOptionsDataProtector = assertionOptionsDataProtector;
|
|
_assertWebAuthnLoginCredentialCommand = assertWebAuthnLoginCredentialCommand;
|
|
_deviceValidator = deviceValidator;
|
|
}
|
|
|
|
string IExtensionGrantValidator.GrantType => "webauthn";
|
|
|
|
public async Task ValidateAsync(ExtensionGrantValidationContext context)
|
|
{
|
|
var rawToken = context.Request.Raw.Get("token");
|
|
var rawDeviceResponse = context.Request.Raw.Get("deviceResponse");
|
|
if (string.IsNullOrWhiteSpace(rawToken) || string.IsNullOrWhiteSpace(rawDeviceResponse))
|
|
{
|
|
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant);
|
|
return;
|
|
}
|
|
|
|
var verified = _assertionOptionsDataProtector.TryUnprotect(rawToken, out var token) &&
|
|
token.TokenIsValid(WebAuthnLoginAssertionOptionsScope.Authentication);
|
|
var deviceResponse = JsonSerializer.Deserialize<AuthenticatorAssertionRawResponse>(rawDeviceResponse);
|
|
|
|
if (!verified)
|
|
{
|
|
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidRequest);
|
|
return;
|
|
}
|
|
|
|
var (user, credential) = await _assertWebAuthnLoginCredentialCommand.AssertWebAuthnLoginCredential(token.Options, deviceResponse);
|
|
UserDecryptionOptionsBuilder.WithWebAuthnLoginCredential(credential);
|
|
|
|
await ValidateAsync(context, context.Request, new CustomValidatorRequestContext { User = user });
|
|
}
|
|
|
|
protected override Task<bool> ValidateContextAsync(ExtensionGrantValidationContext context,
|
|
CustomValidatorRequestContext validatorContext)
|
|
{
|
|
if (validatorContext.User == null)
|
|
{
|
|
return Task.FromResult(false);
|
|
}
|
|
|
|
return Task.FromResult(true);
|
|
}
|
|
|
|
protected override Task SetSuccessResult(ExtensionGrantValidationContext context, User user,
|
|
List<Claim> claims, Dictionary<string, object> customResponse)
|
|
{
|
|
context.Result = new GrantValidationResult(user.Id.ToString(), "Application",
|
|
identityProvider: Constants.IdentityProvider,
|
|
claims: claims.Count > 0 ? claims : null,
|
|
customResponse: customResponse);
|
|
return Task.CompletedTask;
|
|
}
|
|
|
|
protected override ClaimsPrincipal GetSubject(ExtensionGrantValidationContext context)
|
|
{
|
|
return context.Result.Subject;
|
|
}
|
|
|
|
[Obsolete("Consider using SetValidationErrorResult instead.")]
|
|
protected override void SetTwoFactorResult(ExtensionGrantValidationContext context,
|
|
Dictionary<string, object> customResponse)
|
|
{
|
|
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Two factor required.",
|
|
customResponse);
|
|
}
|
|
|
|
[Obsolete("Consider using SetValidationErrorResult instead.")]
|
|
protected override void SetSsoResult(ExtensionGrantValidationContext context,
|
|
Dictionary<string, object> customResponse)
|
|
{
|
|
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, "Sso authentication required.",
|
|
customResponse);
|
|
}
|
|
|
|
[Obsolete("Consider using SetValidationErrorResult instead.")]
|
|
protected override void SetErrorResult(ExtensionGrantValidationContext context, Dictionary<string, object> customResponse)
|
|
{
|
|
context.Result = new GrantValidationResult(TokenRequestErrors.InvalidGrant, customResponse: customResponse);
|
|
}
|
|
|
|
protected override void SetValidationErrorResult(
|
|
ExtensionGrantValidationContext context, CustomValidatorRequestContext requestContext)
|
|
{
|
|
context.Result = new GrantValidationResult
|
|
{
|
|
Error = requestContext.ValidationErrorResult.Error,
|
|
ErrorDescription = requestContext.ValidationErrorResult.ErrorDescription,
|
|
IsError = true,
|
|
CustomResponse = requestContext.CustomResponse
|
|
};
|
|
}
|
|
}
|