Merge pull request #2064 from sbwalker/dev

Improve Principal handling for OIDC and resolve Logout issue (caused by AntiForgeryToken)
oqtane · Mar 15, 2022 · 6324aac · 6324aac
2 parents 9b69e13 + d51ba8f
commit 6324aac
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 18 deletions.
diff --git a/Oqtane.Client/Themes/Controls/Theme/LoginBase.cs b/Oqtane.Client/Themes/Controls/Theme/LoginBase.cs
@@ -1,4 +1,5 @@
 using System;
+using System.Net;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Components;
 using Microsoft.JSInterop;
@@ -34,24 +35,25 @@ protected async Task LogoutUser()
         {
             await UserService.LogoutUserAsync(PageState.User);
             await LoggingService.Log(PageState.Alias, PageState.Page.PageId, PageState.ModuleId, PageState.User.UserId, GetType().AssemblyQualifiedName, "Logout", LogFunction.Security, LogLevel.Information, null, "User Logout For Username {Username}", PageState.User.Username);
-
             PageState.User = null;
-            bool authorizedtoviewpage = UserSecurity.IsAuthorized(PageState.User, PermissionNames.View, PageState.Page.Permissions);
+
+            var url = PageState.Alias.Path + "/" + PageState.Page.Path;
+            if (!UserSecurity.IsAuthorized(PageState.User, PermissionNames.View, PageState.Page.Permissions))
+            {
+                url = PageState.Alias.Path;
+            }            
 
             if (PageState.Runtime == Shared.Runtime.Server)
             {
-                // server-side Blazor needs to post to the Logout page
-                var fields = new { __RequestVerificationToken = SiteState.AntiForgeryToken, returnurl = !authorizedtoviewpage ? PageState.Alias.Path : PageState.Alias.Path + "/" + PageState.Page.Path };
-                string url = Utilities.TenantUrl(PageState.Alias, "/pages/logout/");
-                var interop = new Interop(jsRuntime);
-                await interop.SubmitForm(url, fields);
+                // server-side Blazor needs to redirect to the Logout page
+                NavigationManager.NavigateTo(Utilities.TenantUrl(PageState.Alias, "/pages/logout/") + "?returnurl=" + WebUtility.UrlEncode(url), true);
             }
             else
             {
                 // client-side Blazor
                 var authstateprovider = (IdentityAuthenticationStateProvider)ServiceProvider.GetService(typeof(IdentityAuthenticationStateProvider));
                 authstateprovider.NotifyAuthenticationChanged();
-                NavigationManager.NavigateTo(NavigateUrl(!authorizedtoviewpage ? PageState.Alias.Path : PageState.Page.Path, true));
+                NavigationManager.NavigateTo(NavigateUrl(url, true));
             }
         }
     }

diff --git a/Oqtane.Server/Extensions/OqtaneSiteAuthenticationBuilderExtensions.cs b/Oqtane.Server/Extensions/OqtaneSiteAuthenticationBuilderExtensions.cs
@@ -104,7 +104,7 @@ private static async Task OnTokenValidated(TokenValidatedContext context)
                     identityuser.UserName = email;
                     identityuser.Email = email;
                     identityuser.EmailConfirmed = true;
-                    var result = await _identityUserManager.CreateAsync(identityuser, Guid.NewGuid().ToString("N") + "-Xx!");
+                    var result = await _identityUserManager.CreateAsync(identityuser, DateTime.UtcNow.ToString("yyyy-MMM-dd-HH-mm-ss"));
                     if (result.Succeeded)
                     {
                         user = new User();
@@ -164,17 +164,19 @@ private static async Task OnTokenValidated(TokenValidatedContext context)
                 user = _users.GetUser(email);
                 if (user != null)
                 {
-                    List<UserRole> userroles = _userRoles.GetUserRoles(user.UserId, context.HttpContext.GetAlias().SiteId).ToList();
-                    var identity = UserSecurity.CreateClaimsIdentity(context.HttpContext.GetAlias(), user, userroles);
+                    var principal = (ClaimsIdentity)context.Principal.Identity;
 
-                    var principalIdentity = (ClaimsIdentity)context.Principal.Identity;
-                    foreach (var claim in identity.Claims)
+                    // remove the name claim if it exists in the principal
+                    var nameclaim = principal.Claims.FirstOrDefault(item => item.Type == ClaimTypes.Name);
+                    if (nameclaim != null)
                     {
-                        if (!principalIdentity.Claims.Contains(claim))
-                        {
-                            principalIdentity.AddClaim(claim);
-                        }
+                        principal.RemoveClaim(nameclaim);
                     }
+
+                    // add Oqtane claims
+                    List<UserRole> userroles = _userRoles.GetUserRoles(user.UserId, context.HttpContext.GetAlias().SiteId).ToList();
+                    var identity = UserSecurity.CreateClaimsIdentity(context.HttpContext.GetAlias(), user, userroles);
+                    principal.AddClaims(identity.Claims);
                 }
             }
             else

diff --git a/Oqtane.Server/Pages/Logout.cshtml.cs b/Oqtane.Server/Pages/Logout.cshtml.cs
@@ -10,7 +10,7 @@ namespace Oqtane.Pages
     [AllowAnonymous]
     public class LogoutModel : PageModel
     {
-        public async Task<IActionResult> OnPostAsync(string returnurl)
+        public async Task<IActionResult> OnGetAsync(string returnurl)
         {
             if (HttpContext.User.Identity.IsAuthenticated)
             {