Merge branch 'dev'

CONTRIBUTING.md

@@ -66,3 +66,7 @@ Summary of the changes (Less than 80 chars)
 -  Tests only need to be present for issues that need to be verified by QA (e.g. not tasks)
 -  If there is a scenario that is far too hard to test there does not need to be a test for it.
   - "Too hard" is determined by the team as a whole.
+
+**Contribution Packages**
+
+If you are planning to add functionality via contribution packages, we would like you to use `IdentityServer3.Contrib.*` as a naming convention.

default.ps1

@@ -11,7 +11,7 @@ properties {
 	$nuget_path = "$src_directory\.nuget\nuget.exe"
 
 	$buildNumber = 0;
-	$version = "2.3.0.0"
+	$version = "2.4.0.0"
 	$preRelease = $null
 }
 

source/Core/Configuration/AppBuilderExtensions/ConfigureCookieAuthenticationExtension.cs

@@ -18,10 +18,13 @@
 using IdentityServer3.Core.Configuration;
 using IdentityServer3.Core.Configuration.Hosting;
 using IdentityServer3.Core.Extensions;
+using IdentityServer3.Core.Services;
 using Microsoft.Owin.Security;
 using Microsoft.Owin.Security.Cookies;
 using Microsoft.Owin.Security.DataHandler;
 using System;
+using System.Security.Claims;
+using System.Threading.Tasks;
 
 namespace Owin
 {
@@ -45,7 +48,19 @@ public static IAppBuilder ConfigureCookieAuthentication(this IAppBuilder app, Co
                 SlidingExpiration = options.SlidingExpiration,
                 CookieSecure = GetCookieSecure(options.SecureMode),
                 TicketDataFormat = new TicketDataFormat(new DataProtectorAdapter(dataProtector, options.Prefix + Constants.PrimaryAuthenticationType)),
-                SessionStore = GetSessionStore(options.SessionStoreProvider)
+                SessionStore = GetSessionStore(options.SessionStoreProvider),
+                Provider = new CookieAuthenticationProvider
+                {
+                    OnValidateIdentity = async cookieCtx =>
+                    {
+                        var validator = cookieCtx.OwinContext.Environment.ResolveDependency<IAuthenticationSessionValidator>();
+                        var isValid = await validator.IsAuthenticationSessionValidAsync(new ClaimsPrincipal(cookieCtx.Identity));
+                        if (isValid == false)
+                        {
+                            cookieCtx.RejectIdentity();
+                        }
+                    }
+                }
             };
             app.UseCookieAuthentication(primary);
 

source/Core/Configuration/AppBuilderExtensions/UseIdentityServerExtension.cs

@@ -69,6 +69,8 @@ public static IAppBuilder UseIdentityServer(this IAppBuilder app, IdentityServer
                 app.SetLoggerFactory(new LibLogKatanaLoggerFactory());
             }
 
+            app.UseEmbeddedFileServer();
+
             app.ConfigureRequestId();
             app.ConfigureDataProtectionProvider(options);
             app.ConfigureIdentityServerBaseUrl(options.PublicOrigin);
@@ -98,8 +100,6 @@ public static IAppBuilder UseIdentityServer(this IAppBuilder app, IdentityServer
                 options.AuthenticationOptions.IdentityProviders(app, Constants.ExternalAuthenticationType);
             }
 
-            app.UseEmbeddedFileServer();
-
             app.ConfigureHttpLogging(options.LoggingOptions);
 
             SignatureConversions.AddConversions(app);

source/Core/Configuration/AuthenticationOptions.cs

@@ -75,6 +75,15 @@ public AuthenticationOptions()
         /// </value>
         public IEnumerable<LoginPageLink> LoginPageLinks { get; set; }
 
+        /// <summary>
+        /// Gets or sets a value indicating whether IdentityServer will always show a confirmation page for sign-out.
+        /// Defaults to false.
+        /// </summary>
+        /// <value>
+        /// <c>true</c> if sign-out prompt is required; otherwise, <c>false</c>.
+        /// </value>
+        public bool RequireSignOutPrompt { get; set; }
+
         /// <summary>
         /// Gets or sets a value indicating whether IdentityServer will show a confirmation page for sign-out.
         /// When a client initiates a sign-out, by default IdentityServer will ask the user for confirmation. This is a mitigation technique against "logout spam".

source/Core/Configuration/CookieOptions.cs

@@ -106,5 +106,8 @@ public CookieOptions()
         /// to the client. This can be used to mitigate potential problems with very large identities.
         /// </summary>
         public IAuthenticationSessionStoreProvider SessionStoreProvider { get; set; }
+
+
+
     }
 }

source/Core/Configuration/CspOptions.cs

@@ -76,5 +76,13 @@ public CspOptions()
         /// The connect source.
         /// </value>
         public string ImgSrc { get; set; }
+
+        /// <summary>
+        /// Allows additional iframe sources to be indicated.
+        /// </summary>
+        /// <value>
+        /// The connect source.
+        /// </value>
+        public string FrameSrc { get; set; }
     }
 }

source/Core/Configuration/Hosting/AutoFacConfig.cs

@@ -60,14 +60,16 @@ public static IContainer Configure(IdentityServerOptions options)
 
             builder.RegisterDefaultInstance<IConsentStore, InMemoryConsentStore>(fact.ConsentStore);
             builder.RegisterDefaultInstance<ICorsPolicyService, DefaultCorsPolicyService>(fact.CorsPolicyService);
-            
+
             builder.RegisterDefaultType<IClaimsProvider, DefaultClaimsProvider>(fact.ClaimsProvider);
             builder.RegisterDefaultType<ITokenService, DefaultTokenService>(fact.TokenService);
             builder.RegisterDefaultType<IRefreshTokenService, DefaultRefreshTokenService>(fact.RefreshTokenService);            
             builder.RegisterDefaultType<ICustomRequestValidator, DefaultCustomRequestValidator>(fact.CustomRequestValidator);
             builder.RegisterDefaultType<IExternalClaimsFilter, NopClaimsFilter>(fact.ExternalClaimsFilter);
             builder.RegisterDefaultType<ICustomTokenValidator, DefaultCustomTokenValidator>(fact.CustomTokenValidator);
+            builder.RegisterDefaultType<ICustomTokenResponseGenerator, DefaultCustomTokenResponseGenerator>(fact.CustomTokenResponseGenerator);
             builder.RegisterDefaultType<IConsentService, DefaultConsentService>(fact.ConsentService);
+            builder.RegisterDefaultType<IAuthenticationSessionValidator, DefaultAuthenticationSessionValidator>(fact.AuthenticationSessionValidator);
 
             // todo remove in next major version
             if (fact.TokenSigningService != null)
@@ -95,10 +97,6 @@ public static IContainer Configure(IdentityServerOptions options)
                     builder.Register(val);
                 }
             }
-            else
-            {
-                builder.RegisterType<NopCustomGrantValidator>().As<ICustomGrantValidator>();
-            }
 
             // register secret parsing/validation plumbing
             builder.RegisterType<SecretValidator>();

source/Core/Configuration/Hosting/CorsPolicyProvider.cs

@@ -46,7 +46,9 @@ public CorsPolicyProvider(IEnumerable<string> allowedPaths)
 
             // see if the Origin is different than this server's origin. if so
             // that indicates a proper CORS request
-            var thisOrigin = request.Uri.Scheme + "://" + request.Uri.Authority;
+            var ctx = new OwinContext(request.Environment);
+            // using GetIdentityServerHost takes into account a configured PublicOrigin
+            var thisOrigin = ctx.GetIdentityServerHost();
             if (origin != null && origin != thisOrigin)
             {
                 if (IsPathAllowed(request))

source/Core/Configuration/Hosting/SecurityHeadersAttribute.cs

@@ -65,27 +65,38 @@ public override void OnActionExecuted(HttpActionExecutedContext actionExecutedCo
                         // img-src as * due to client logos
                         var value = "default-src 'self'; script-src 'self' {0}; style-src 'self' 'unsafe-inline' {1}; img-src {2}; ";
 
+                        value = String.Format(value, 
+                            options.CspOptions.ScriptSrc, 
+                            options.CspOptions.StyleSrc, 
+                            options.CspOptions.ImgSrc ?? "*");
+
                         if (!String.IsNullOrWhiteSpace(options.CspOptions.FontSrc))
                         {
                             value += String.Format("font-src {0};", options.CspOptions.FontSrc);
                         }
+
                         if (!String.IsNullOrWhiteSpace(options.CspOptions.ConnectSrc))
                         {
                             value += String.Format("connect-src {0};", options.CspOptions.ConnectSrc);
                         }
 
                         var iframesOrigins = actionExecutedContext.Request.GetAllowedCspFrameOrigins();
-                        if (iframesOrigins.Any())
+                        if (iframesOrigins.Any() || !String.IsNullOrWhiteSpace(options.CspOptions.FrameSrc))
                         {
-                            var frameSrc = iframesOrigins.Aggregate((x, y) => x + " " + y);
-                            value += String.Format("frame-src {0};", frameSrc);
+                            var frameSrc = options.CspOptions.FrameSrc;
+                            if (iframesOrigins.Any())
+                            {
+                                frameSrc += " ";
+                                frameSrc += iframesOrigins.Aggregate((x, y) => x + " " + y);
+                            }
+                            value += String.Format("frame-src 'self' {0};", frameSrc);
                         }
 
-                        value = String.Format(value, options.CspOptions.ScriptSrc, options.CspOptions.StyleSrc, options.CspOptions.ImgSrc ?? "*");
                         if (options.Endpoints.EnableCspReportEndpoint)
                         {
                             value += " report-uri " + ctx.GetCspReportUrl();
                         }
+
                         // once for standards compliant browsers
                         actionExecutedContext.Response.Headers.Add("Content-Security-Policy", value);
                         // and once again for IE

source/Core/Configuration/IdentityServerServiceFactory.cs

@@ -65,9 +65,9 @@ public IdentityServerServiceFactory()
             // register default secret parsers
             SecretParsers = new List<Registration<ISecretParser>>
             {
-                new Registration<ISecretParser, BasicAuthenticationSecretParser>(),
+                new Registration<ISecretParser, X509CertificateSecretParser>(),
                 new Registration<ISecretParser, PostBodySecretParser>(),
-                new Registration<ISecretParser, X509CertificateSecretParser>()
+                new Registration<ISecretParser, BasicAuthenticationSecretParser>(),
             };
 
             // register default secret validators
@@ -289,15 +289,15 @@ public void Register<T>(Registration<T> registration)
         /// <value>
         /// The secret parsers.
         /// </value>
-        public IEnumerable<Registration<ISecretParser>> SecretParsers { get; set; }
+        public IList<Registration<ISecretParser>> SecretParsers { get; set; }
 
         /// <summary>
         /// Gets or sets the secret validators.
         /// </summary>
         /// <value>
         /// The secret validators.
         /// </value>
-        public IEnumerable<Registration<ISecretValidator>> SecretValidators { get; set; }
+        public IList<Registration<ISecretValidator>> SecretValidators { get; set; }
 
         /// <summary>
         /// Gets or sets the CORS policy service.
@@ -307,6 +307,22 @@ public void Register<T>(Registration<T> registration)
         /// </value>
         public Registration<ICorsPolicyService> CorsPolicyService { get; set; }
 
+        /// <summary>
+        /// Gets or sets the custom token response generator
+        /// </summary>
+        /// <value>
+        /// The custom token response generator
+        /// </value>
+        public Registration<ICustomTokenResponseGenerator> CustomTokenResponseGenerator { get; set; }
+
+        /// <summary>
+        /// Gets or sets the authentication session validator.
+        /// </summary>
+        /// <value>
+        /// The authentication session validator.
+        /// </value>
+        public Registration<IAuthenticationSessionValidator> AuthenticationSessionValidator { get; set; }
+
         /// <summary>
         /// Gets or sets the signing key service.
         /// </summary>

source/Core/Configuration/InputLengthRestrictions.cs

@@ -17,7 +17,7 @@
 namespace IdentityServer3.Core.Configuration
 {
     /// <summary>
-    /// 
+    /// Defines the input length restrictions for different values
     /// </summary>
     public class InputLengthRestrictions
     {
@@ -46,6 +46,10 @@ public InputLengthRestrictions()
             RefreshToken = Default;
             TokenHandle = Default;
             Jwt = 51200;
+            CodeChallengeMinLength = 43;
+            CodeChallengeMaxLength = 128;
+            CodeVerifierMinLength = 43;
+            CodeVerifierMaxLength = 128;
         }
 
         /// <summary>
@@ -137,5 +141,25 @@ public InputLengthRestrictions()
         /// Max length for JWTs
         /// </summary>
         public int Jwt { get; private set; }
+
+        /// <summary>
+        /// Min length for the code challenge
+        /// </summary>
+        public int CodeChallengeMinLength { get; private set; }
+
+        /// <summary>
+        /// Max length for the code challenge
+        /// </summary>
+        public int CodeChallengeMaxLength { get; private set; }
+
+        /// <summary>
+        /// Min length for the code verifier
+        /// </summary>
+        public int CodeVerifierMinLength { get; private set; }
+
+        /// <summary>
+        /// Max length for the code verifier
+        /// </summary>
+        public int CodeVerifierMaxLength { get; private set; }
     }
 }