Merge branch 'dev'

default.ps1

@@ -11,7 +11,7 @@ properties {
 	$nuget_path = "$src_directory\.nuget\nuget.exe"
 
 	$buildNumber = 0;
-	$version = "2.4.0.0"
+	$version = "2.5.0.0"
 	$preRelease = $null
 }
 

source/Core/Configuration/AuthenticationOptions.cs

@@ -94,6 +94,14 @@ public AuthenticationOptions()
         /// </value>
         public bool EnableSignOutPrompt { get; set; }
 
+        /// <summary>
+        /// Gets or sets a value indicating whether IdentityServer automatically sends a callback URL for federated post-logout redirects. Defaults to false.
+        /// </summary>
+        /// <value>
+        /// <c>true</c> if callback URL sent for federated post-logout redirects; otherwise, <c>false</c>.
+        /// </value>
+        public bool EnableAutoCallbackForFederatedSignout { get; set; }
+
         /// <summary>
         /// Gets or sets a value indicating whether IdentityServer automatically redirects back to a validated post_logout_redirect_uri passed to the signout endpoint. Defaults to false.
         /// </summary>

source/Core/Configuration/Hosting/CorsPolicyProvider.cs

@@ -67,7 +67,7 @@ public CorsPolicyProvider(IEnumerable<string> allowedPaths)
                 }
                 else
                 {
-                    Logger.WarnFormat("CORS request made for path: {0} from origin: {1} but rejected because invalid CORS path", path, origin);
+                    Logger.InfoFormat("CORS request made for path: {0} from origin: {1} but rejected because invalid CORS path", path, origin);
                 }
             }
 

source/Core/Configuration/InputLengthRestrictions.cs

@@ -50,6 +50,7 @@ public InputLengthRestrictions()
             CodeChallengeMaxLength = 128;
             CodeVerifierMinLength = 43;
             CodeVerifierMaxLength = 128;
+            ProofKey = 2048;
         }
 
         /// <summary>
@@ -161,5 +162,10 @@ public InputLengthRestrictions()
         /// Max length for the code verifier
         /// </summary>
         public int CodeVerifierMaxLength { get; private set; }
+
+        /// <summary>
+        /// Max length for proof keys
+        /// </summary>
+        public int ProofKey { get; set; }
     }
 }

source/Core/Constants.cs

@@ -14,6 +14,7 @@
  * limitations under the License.
  */
 
+using IdentityModel;
 using IdentityServer3.Core.Models;
 using System;
 using System.Collections.Generic;
@@ -92,6 +93,8 @@ public static class TokenRequest
             public const string UserName            = "username";
             public const string Password            = "password";
             public const string CodeVerifier        = "code_verifier";
+            public const string Algorithm           = "alg";
+            public const string Key                 = "key";
         }
 
         public static class EndSessionRequest
@@ -118,7 +121,19 @@ public static class TokenTypes
             public const string AccessToken   = "access_token";
             public const string IdentityToken = "id_token";
             public const string RefreshToken  = "refresh_token";
-            public const string Bearer        = "Bearer";
+        }
+
+        public static class ResponseTokenTypes
+        {
+            public const string Bearer = "Bearer";
+            public const string PoP = "pop";
+        }
+
+        public static class AuthenticationSchemes
+        {
+            public const string BearerAuthorizationHeader = "Bearer";
+            public const string BearerFormPost = "access_token";
+            public const string BearerQueryString = "access_token";
         }
 
         public static class GrantTypes
@@ -537,6 +552,9 @@ public static class ClaimTypes
             /// <summary>JWT ID. A unique identifier for the token, which can be used to prevent reuse of the token. These tokens MUST only be used once, unless conditions for reuse were negotiated between the parties; any such negotiation is beyond the scope of this specification.</summary>
             public const string JwtId                               = "jti";
 
+            /// <summary> Proof key confirmation </summary>
+            public const string Confirmation                        = "cnf";
+
             /// <summary>OAuth 2.0 Client Identifier valid at the Authorization Server.</summary>
             public const string ClientId         = "client_id";
 
@@ -567,7 +585,6 @@ public static class ClaimTypes
             ClaimTypes.Issuer,
             ClaimTypes.NotBefore,
             ClaimTypes.Expiration,
-            ClaimTypes.UpdatedAt,
             ClaimTypes.IssuedAt,
             ClaimTypes.AuthenticationMethod,
             ClaimTypes.AuthenticationTime,
@@ -723,10 +740,10 @@ public static class OwinEnvironment
 
         public static class Authentication
         {
-            public const string SigninId                 = "signinid";
-            public const string SignoutId                = "id";
-            public const string KatanaAuthenticationType = "katanaAuthenticationType";
-            public const string PartialLoginRememberMe = "idsvr:rememberme";
+            public const string SigninId                    = "signinid";
+            public const string SignoutId                   = "id";
+            public const string KatanaAuthenticationType    = "katanaAuthenticationType";
+            public const string PartialLoginRememberMe      = "idsvr:rememberme";
         }
 
         public static class LocalizationCategories
@@ -764,5 +781,20 @@ public static class ClaimValueTypes
         {
             public const string Json = "json";
         }
+
+        public static IEnumerable<string> AllowedProofKeyAlgorithms = new[]
+        {
+            OidcConstants.Algorithms.Asymmetric.RS256,
+            OidcConstants.Algorithms.Asymmetric.RS384,
+            OidcConstants.Algorithms.Asymmetric.RS512,
+
+            OidcConstants.Algorithms.Asymmetric.ES256,
+            OidcConstants.Algorithms.Asymmetric.ES384,
+            OidcConstants.Algorithms.Asymmetric.ES512,
+
+            OidcConstants.Algorithms.Asymmetric.PS256,
+            OidcConstants.Algorithms.Asymmetric.PS384,
+            OidcConstants.Algorithms.Asymmetric.PS512,
+        };
     }
 }

source/Core/Core.csproj

@@ -55,8 +55,8 @@
       <SpecificVersion>False</SpecificVersion>
       <HintPath>..\packages\Autofac.WebApi2.3.4.0\lib\net45\Autofac.Integration.WebApi.dll</HintPath>
     </Reference>
-    <Reference Include="IdentityModel.Net45, Version=1.0.0.0, Culture=neutral, processorArchitecture=MSIL">
-      <HintPath>..\packages\IdentityModel.1.3.1\lib\net45\IdentityModel.Net45.dll</HintPath>
+    <Reference Include="IdentityModel, Version=1.0.0.0, Culture=neutral, processorArchitecture=MSIL">
+      <HintPath>..\packages\IdentityModel.1.9.2\lib\net45\IdentityModel.dll</HintPath>
       <Private>True</Private>
     </Reference>
     <Reference Include="Microsoft.CSharp" />
@@ -85,7 +85,7 @@
       <HintPath>..\packages\Microsoft.Owin.StaticFiles.3.0.1\lib\net45\Microsoft.Owin.StaticFiles.dll</HintPath>
     </Reference>
     <Reference Include="Newtonsoft.Json, Version=8.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed, processorArchitecture=MSIL">
-      <HintPath>..\packages\Newtonsoft.Json.8.0.2\lib\net45\Newtonsoft.Json.dll</HintPath>
+      <HintPath>..\packages\Newtonsoft.Json.8.0.3\lib\net45\Newtonsoft.Json.dll</HintPath>
       <Private>True</Private>
     </Reference>
     <Reference Include="Owin">
@@ -175,6 +175,7 @@
     <Compile Include="Extensions\JwtSecurityTokenExtensions.cs" />
     <Compile Include="Extensions\LoginPageLinkExtensions.cs" />
     <Compile Include="Extensions\OwinEnvironmentExtensions.cs" />
+    <Compile Include="Extensions\TokenExtensions.cs" />
     <Compile Include="Extensions\X509Certificate2Extensions.cs" />
     <Compile Include="Internal\AntiXssLibrary\CodeCharts\CodeChartHelper.cs" />
     <Compile Include="Internal\AntiXssLibrary\CodeCharts\Lower.cs" />
@@ -207,6 +208,7 @@
     <Compile Include="Extensions\IEventServiceExtensions.cs" />
     <Compile Include="Extensions\ILocalizationServiceExtensions.cs" />
     <Compile Include="Logging\LibLogTraceListener.cs" />
+    <Compile Include="Logging\NoopLogProvider.cs" />
     <Compile Include="Models\ClientPermissionDescription.cs" />
     <Compile Include="Models\Contexts\ExternalAuthenticationContext.cs" />
     <Compile Include="Models\ParsedSecret.cs" />
@@ -215,6 +217,7 @@
     <Compile Include="Models\IsActiveContext.cs" />
     <Compile Include="Models\Contexts\LocalAuthenticationContext.cs" />
     <Compile Include="Models\Contexts\PreAuthenticationContext.cs" />
+    <Compile Include="Models\RsaPublicKeyJwk.cs" />
     <Compile Include="Models\Secret.cs" />
     <Compile Include="Models\AuthenticatedLogin.cs" />
     <Compile Include="Models\ITokenMetadata.cs" />
@@ -246,6 +249,7 @@
     <Compile Include="Validation\BasicAuthenticationSecretParser.cs" />
     <Compile Include="Validation\IntrospectionRequestValidationResult.cs" />
     <Compile Include="Validation\IntrospectionRequestValidator.cs" />
+    <Compile Include="Validation\RequestedTokenTypes.cs" />
     <Compile Include="Validation\ResponseTypeEqualityComparer.cs" />
     <Compile Include="Validation\ScopeSecretValidationResult.cs" />
     <Compile Include="Validation\ScopeSecretValidator.cs" />
@@ -503,6 +507,7 @@
       <Link>default.licenseheader</Link>
     </None>
     <None Include="app.config" />
+    <None Include="bundleconfig.json" />
     <None Include="Resources\T4resx.tt">
       <Generator>TextTemplatingFileGenerator</Generator>
       <LastGenOutput>T4resx.cs</LastGenOutput>
@@ -559,14 +564,13 @@
     <None Include="Services\DefaultViewService\HttpAssets\app\crypto.min.js.map">
       <DependentUpon>crypto.min.js</DependentUpon>
     </None>
-    <None Include="Services\DefaultViewService\HttpAssets\scripts.2.0.0.js.bundle" />
-    <None Include="Services\DefaultViewService\HttpAssets\scripts.2.0.0.min.js.map">
-      <DependentUpon>scripts.2.0.0.min.js</DependentUpon>
-    </None>
-    <None Include="Services\DefaultViewService\HttpAssets\styles.css.bundle" />
     <None Include="packages.config" />
   </ItemGroup>
   <ItemGroup>
+    <Content Include="Services\DefaultViewService\HttpAssets\styles.css" />
+    <EmbeddedResource Include="Services\DefaultViewService\HttpAssets\styles.min.css">
+      <DependentUpon>styles.css</DependentUpon>
+    </EmbeddedResource>
     <EmbeddedResource Include="Services\DefaultViewService\PageAssets\authorizeresponse.html" />
     <EmbeddedResource Include="Services\DefaultViewService\PageAssets\SignoutFrame.html" />
     <EmbeddedResource Include="Services\DefaultViewService\PageAssets\welcome.html" />
@@ -612,18 +616,7 @@
     <Content Include="Services\DefaultViewService\HttpAssets\libs\encoder\encoder.min.js" />
     <Content Include="Services\DefaultViewService\HttpAssets\libs\jquery\jquery-1.11.0.js" />
     <Content Include="Services\DefaultViewService\HttpAssets\libs\jquery\jquery-1.11.0.min.js" />
-    <EmbeddedResource Include="Services\DefaultViewService\HttpAssets\scripts.2.0.0.js">
-      <DependentUpon>scripts.2.0.0.js.bundle</DependentUpon>
-    </EmbeddedResource>
-    <Content Include="Services\DefaultViewService\HttpAssets\scripts.2.0.0.min.js">
-      <DependentUpon>scripts.2.0.0.js</DependentUpon>
-    </Content>
-    <Content Include="Services\DefaultViewService\HttpAssets\styles.css">
-      <DependentUpon>styles.css.bundle</DependentUpon>
-    </Content>
-    <EmbeddedResource Include="Services\DefaultViewService\HttpAssets\styles.min.css">
-      <DependentUpon>styles.css</DependentUpon>
-    </EmbeddedResource>
+    <EmbeddedResource Include="Services\DefaultViewService\HttpAssets\scripts.2.5.0.js" />
   </ItemGroup>
   <ItemGroup />
   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />

source/Core/Endpoints/AuthenticationController.cs

@@ -627,7 +627,7 @@ public async Task<IHttpActionResult> Logout(string id = null)
             Logger.Info("Clearing cookies");
             context.QueueRemovalOfSignOutMessageCookie(id);
             context.ClearAuthenticationCookies();
-            context.SignOutOfExternalIdP();
+            context.SignOutOfExternalIdP(id);
 
             string clientId = null;
             var message = signOutMessageCookie.Read(id);
@@ -686,6 +686,17 @@ private async Task<IHttpActionResult> SignInAndRedirectAsync(SignInMessage signI
                 }
             }
 
+            // check to see if idp used to signin matches 
+            if (signInMessage.IdP.IsPresent() && 
+                authResult.IsPartialSignIn == false && 
+                authResult.HasSubject && 
+                authResult.User.GetIdentityProvider() != signInMessage.IdP)
+            {
+                // this is an error -- the user service did not set the idp to the one requested
+                Logger.ErrorFormat("IdP requested was: {0}, but the user service issued signin for IdP: {1}", signInMessage.IdP, authResult.User.GetIdentityProvider());
+                return RenderErrorPage();
+            }
+
             ClearAuthenticationCookiesForNewSignIn(authResult);
             IssueAuthenticationCookie(signInMessageId, authResult, rememberMe);
 

source/Core/Endpoints/Connect/DiscoveryEndpointController.cs

@@ -46,11 +46,11 @@ internal class DiscoveryEndpointController : ApiController
         private readonly IOwinContext _context;
         private readonly ISigningKeyService _keyService;
 
-        static readonly JsonSerializerSettings Settings = new JsonSerializerSettings
+        static readonly JsonSerializer Serializer = new JsonSerializer
         {
             NullValueHandling = NullValueHandling.Ignore
         };
-        
+
         public DiscoveryEndpointController(IdentityServerOptions options, IScopeStore scopes, IOwinContext context, ISigningKeyService keyService, CustomGrantValidator customGrants)
         {
             _options = options;
@@ -152,7 +152,8 @@ public async Task<IHttpActionResult> GetConfiguration()
             {
                 if (_options.Endpoints.EnableEndSessionEndpoint)
                 {
-                    dto.http_logout_supported = true;
+                    dto.frontchannel_logout_supported = true;
+                    dto.frontchannel_logout_session_supported = true;
                 }
 
                 if (_options.Endpoints.EnableAuthorizeEndpoint)
@@ -199,7 +200,7 @@ public async Task<IHttpActionResult> GetConfiguration()
                 }
             }
 
-            var jobject = JObject.FromObject(dto);
+            var jobject = JObject.FromObject(dto, Serializer);
 
             // custom entries
             if (_options.DiscoveryOptions.CustomEntries != null && _options.DiscoveryOptions.CustomEntries.Any())
@@ -275,7 +276,8 @@ private class DiscoveryDto
             public string check_session_iframe { get; set; }
             public string revocation_endpoint { get; set; }
             public string introspection_endpoint { get; set; }
-            public bool? http_logout_supported { get; set; }
+            public bool? frontchannel_logout_supported { get; set; }
+            public bool? frontchannel_logout_session_supported { get; set; }
             public string[] scopes_supported { get; set; }
             public string[] claims_supported { get; set; }
             public string[] response_types_supported { get; set; }

source/Core/Endpoints/Connect/EndSessionController.cs

@@ -182,7 +182,12 @@ private async Task<IEnumerable<string>> GetClientEndSessionUrlsAsync()
             var clients = new List<Client>();
             foreach (var clientId in clientIds)
             {
-                clients.Add(await _clientStore.FindClientByIdAsync(clientId));
+                var client = await _clientStore.FindClientByIdAsync(clientId);
+
+                if (client != null)
+                {
+                    clients.Add(client);
+                }
             }
 
             // get user's session id. session id will possibly 

source/Core/Extensions/InternalOwinExtensions.cs

@@ -453,7 +453,11 @@ public static void PrepareContextForLoggedOutPage(this IOwinContext context)
             context.Request.Method = "POST";
             context.Request.ContentType = "application/x-www-form-urlencoded";
             context.Request.Path = new PathString("/" + Constants.RoutePaths.Logout);
-            context.Request.QueryString = new QueryString("id", (string)context.Environment[QueueRenderLoggedOutPageFlag]);
+            var signOutId = context.Environment[QueueRenderLoggedOutPageFlag];
+            if (signOutId != null)
+            {
+                context.Request.QueryString = new QueryString("id", (string)context.Environment[QueueRenderLoggedOutPageFlag]);
+            }
 
             context.SetSuppressAntiForgeryCheck();
         }
@@ -480,7 +484,7 @@ public static void ClearAuthenticationCookies(this IOwinContext context)
                 Constants.PartialSignInAuthenticationType);
         }
 
-        public static void SignOutOfExternalIdP(this IOwinContext context)
+        public static void SignOutOfExternalIdP(this IOwinContext context, string signOutId)
         {
             if (context == null) throw new ArgumentNullException("context");
 
@@ -492,7 +496,18 @@ public static void SignOutOfExternalIdP(this IOwinContext context)
                 var idp = user.GetIdentityProvider();
                 if (idp != Constants.BuiltInIdentityProvider)
                 {
-                    context.Authentication.SignOut(idp);
+                    var authProps = new AuthenticationProperties();
+                    var options = context.ResolveDependency<IdentityServerOptions>();
+
+                    if (options.AuthenticationOptions.EnableAutoCallbackForFederatedSignout)
+                    {
+                        authProps.RedirectUri = context.Environment.GetIdentityServerLogoutUrl().EnsureTrailingSlash();
+                        if (signOutId != null)
+                        {
+                            authProps.RedirectUri = authProps.RedirectUri.AddQueryString(Constants.Authentication.SignoutId + "=" + signOutId);
+                        }
+                    }
+                    context.Authentication.SignOut(authProps, idp);
                 }
             }
         }