Upgrade package

Author: RainingNight

NuGet.config

@@ -6,5 +6,6 @@
     <add key="Zero" value="https://www.myget.org/F/zero/api/v3/index.json" />
     <add key="AspNetCore" value="https://dotnet.myget.org/F/aspnetcore-dev/api/v3/index.json" />
     <add key="AspNetCoreTools" value="https://dotnet.myget.org/F/aspnetcore-tools/api/v3/index.json" />
+    <add key="Identity* Dev Feed" value="https://www.myget.org/F/identity/" />
   </packageSources>
 </configuration>

SourceLink/IdentityServer4/Configuration/DependencyInjection/BuilderExtensions/Core.cs

@@ -190,7 +190,7 @@ public static IIdentityServerBuilder AddValidators(this IIdentityServerBuilder b
             builder.Services.TryAddTransient<IResourceOwnerPasswordValidator, NotSupportedResourceOwnerPasswordValidator>();
             builder.Services.TryAddTransient<ICustomTokenRequestValidator, DefaultCustomTokenRequestValidator>();
             builder.Services.TryAddTransient<IUserInfoRequestValidator, UserInfoRequestValidator>();
-            builder.Services.TryAddTransient<IClientConfigurationValidator, NopClientConfigurationValidator>();
+            builder.Services.TryAddTransient<IClientConfigurationValidator, DefaultClientConfigurationValidator>();
 
             // optional
             builder.Services.TryAddTransient<ICustomTokenValidator, DefaultCustomTokenValidator>();

SourceLink/IdentityServer4/Configuration/DependencyInjection/ConfigureInternalCookieOptions.cs

@@ -1,6 +1,7 @@
-using IdentityServer4.Extensions;
+using IdentityServer4.Extensions;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 
 namespace IdentityServer4.Configuration
@@ -25,15 +26,27 @@ public void Configure(string name, CookieAuthenticationOptions options)
                 options.SlidingExpiration = _idsrv.Authentication.CookieSlidingExpiration;
                 options.ExpireTimeSpan = _idsrv.Authentication.CookieLifetime;
                 options.Cookie.Name = IdentityServerConstants.DefaultCookieAuthenticationScheme;
+                options.Cookie.IsEssential = true;
                 options.Cookie.SameSite = SameSiteMode.None;
+
                 options.LoginPath = ExtractLocalUrl(_idsrv.UserInteraction.LoginUrl);
                 options.LogoutPath = ExtractLocalUrl(_idsrv.UserInteraction.LogoutUrl);
-                options.ReturnUrlParameter = _idsrv.UserInteraction.LoginReturnUrlParameter;
+                if (_idsrv.UserInteraction.LoginReturnUrlParameter != null)
+                {
+                    options.ReturnUrlParameter = _idsrv.UserInteraction.LoginReturnUrlParameter;
+                }
             }
 
             if (name == IdentityServerConstants.ExternalCookieAuthenticationScheme)
             {
                 options.Cookie.Name = IdentityServerConstants.ExternalCookieAuthenticationScheme;
+                options.Cookie.IsEssential = true;
+                // https://github.com/IdentityServer/IdentityServer4/issues/2595
+                // need to set None because iOS 12 safari considers the POST back to the client from the 
+                // IdP as not safe, so cookies issued from response (with lax) then should not be honored.
+                // so we need to make those cookies issued without same-site, thus the browser will
+                // hold onto them and send on the next redirect to the callback page.
+                options.Cookie.SameSite = SameSiteMode.None;
             }
         }
 
@@ -57,40 +70,41 @@ internal class PostConfigureInternalCookieOptions : IPostConfigureOptions<Cookie
     {
         private readonly IdentityServerOptions _idsrv;
         private readonly IOptions<Microsoft.AspNetCore.Authentication.AuthenticationOptions> _authOptions;
+        private readonly ILogger _logger;
 
-        public PostConfigureInternalCookieOptions(IdentityServerOptions idsrv, IOptions<Microsoft.AspNetCore.Authentication.AuthenticationOptions> authOptions)
+        public PostConfigureInternalCookieOptions(
+            IdentityServerOptions idsrv,
+            IOptions<Microsoft.AspNetCore.Authentication.AuthenticationOptions> authOptions,
+            ILoggerFactory loggerFactory)
         {
             _idsrv = idsrv;
             _authOptions = authOptions;
+            _logger = loggerFactory.CreateLogger("IdentityServer4.Startup");
+
         }
 
         public void PostConfigure(string name, CookieAuthenticationOptions options)
         {
-            var scheme = _authOptions.Value.DefaultAuthenticateScheme ??
+            var scheme = _idsrv.Authentication.CookieAuthenticationScheme ??
+                _authOptions.Value.DefaultAuthenticateScheme ??
                 _authOptions.Value.DefaultScheme;
 
             if (name == scheme)
             {
-                options.LoginPath = ExtractLocalUrl(_idsrv.UserInteraction.LoginUrl);
-                options.LogoutPath = ExtractLocalUrl(_idsrv.UserInteraction.LogoutUrl);
-                options.ReturnUrlParameter = _idsrv.UserInteraction.LoginReturnUrlParameter;
-            }
-        }
+                _idsrv.UserInteraction.LoginUrl = _idsrv.UserInteraction.LoginUrl ?? options.LoginPath;
+                _idsrv.UserInteraction.LoginReturnUrlParameter = _idsrv.UserInteraction.LoginReturnUrlParameter ?? options.ReturnUrlParameter;
+                _idsrv.UserInteraction.LogoutUrl = _idsrv.UserInteraction.LogoutUrl ?? options.LogoutPath;
 
-        private static string ExtractLocalUrl(string url)
-        {
-            if (url.IsLocalUrl())
-            {
-                if (url.StartsWith("~/"))
-                {
-                    url = url.Substring(1);
-                }
+                _logger.LogDebug("Login Url: {url}", _idsrv.UserInteraction.LoginUrl);
+                _logger.LogDebug("Login Return Url Parameter: {param}", _idsrv.UserInteraction.LoginReturnUrlParameter);
+                _logger.LogDebug("Logout Url: {url}", _idsrv.UserInteraction.LogoutUrl);
 
-                return url;
-            }
+                _logger.LogDebug("ConsentUrl Url: {url}", _idsrv.UserInteraction.ConsentUrl);
+                _logger.LogDebug("Consent Return Url Parameter: {param}", _idsrv.UserInteraction.ConsentReturnUrlParameter);
 
-            return null;
+                _logger.LogDebug("Error Url: {url}", _idsrv.UserInteraction.ErrorUrl);
+                _logger.LogDebug("Error Id Parameter: {param}", _idsrv.UserInteraction.ErrorIdParameter);
+            }
         }
     }
-
 }

SourceLink/IdentityServer4/Configuration/DependencyInjection/Options/AuthenticationOptions.cs

@@ -11,6 +11,12 @@ namespace IdentityServer4.Configuration
     /// </summary>
     public class AuthenticationOptions
     {
+        /// <summary>
+        /// Sets the cookie authenitcation scheme confgured by the host used for interactive users. If not set, the scheme will inferred from the host's default authentication scheme.
+        /// This setting is typically used when AddPolicyScheme is used in the host as the default scheme.
+        /// </summary>
+        public string CookieAuthenticationScheme { get; set; }
+
         /// <summary>
         /// Sets the cookie lifetime (only effective if the IdentityServer-provided cookie handler is used)
         /// </summary>

SourceLink/IdentityServer4/Configuration/DependencyInjection/Options/IdentityServerOptions.cs

@@ -1,4 +1,4 @@
-// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.
+// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
 
@@ -96,5 +96,10 @@ public class IdentityServerOptions
         /// Gets or sets the Content Security Policy options.
         /// </summary>
         public CspOptions Csp { get; set; } = new CspOptions();
+
+        /// <summary>
+        /// Gets or sets the validation options.
+        /// </summary>
+        public ValidationOptions Validation { get; set; } = new ValidationOptions();
     }
 }

SourceLink/IdentityServer4/Configuration/DependencyInjection/Options/UserInteractionOptions.cs

@@ -1,4 +1,4 @@
-// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.
+// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
 
@@ -17,23 +17,23 @@ public class UserInteractionOptions
         /// <value>
         /// The login URL.
         /// </value>
-        public string LoginUrl { get; set; } = Constants.UIConstants.DefaultRoutePaths.Login.EnsureLeadingSlash();
+        public string LoginUrl { get; set; } //= Constants.UIConstants.DefaultRoutePaths.Login.EnsureLeadingSlash();
 
         /// <summary>
         /// Gets or sets the login return URL parameter.
         /// </summary>
         /// <value>
         /// The login return URL parameter.
         /// </value>
-        public string LoginReturnUrlParameter { get; set; } = Constants.UIConstants.DefaultRoutePathParams.Login;
+        public string LoginReturnUrlParameter { get; set; } //= Constants.UIConstants.DefaultRoutePathParams.Login;
 
         /// <summary>
         /// Gets or sets the logout URL. If a local URL, the value must start with a leading slash.
         /// </summary>
         /// <value>
         /// The logout URL.
         /// </value>
-        public string LogoutUrl { get; set; } = Constants.UIConstants.DefaultRoutePaths.Logout.EnsureLeadingSlash();
+        public string LogoutUrl { get; set; } //= Constants.UIConstants.DefaultRoutePaths.Logout.EnsureLeadingSlash();
 
         /// <summary>
         /// Gets or sets the logout identifier parameter.

SourceLink/IdentityServer4/Configuration/DependencyInjection/Options/ValidationOptions.cs

@@ -0,0 +1,33 @@
+// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.
+// Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
+
+
+using System.Collections.Generic;
+
+namespace IdentityServer4.Configuration
+{
+    /// <summary>
+    /// The ValidationOptions contains settings that affect some of the default validation behavior.
+    /// </summary>
+    public class ValidationOptions
+    {
+        /// <summary>
+        ///  Collection of URI scheme prefixes that should never be used as custom URI schemes in the redirect_uri passed to tha authorize endpoint.
+        /// </summary>
+        public ICollection<string> InvalidRedirectUriPrefixes { get; } = new HashSet<string>
+        {
+            "javascript:",
+            "file:",
+            "data:",
+            "mailto:",
+            "ftp:",
+            "blob:",
+            "about:",
+            "ssh:",
+            "tel:",
+            "view-source:",
+            "ws:",
+            "wss:"
+        };
+    }
+}

SourceLink/IdentityServer4/Configuration/IdentityServerApplicationBuilderExtensions.cs

@@ -76,19 +76,25 @@ internal static void Validate(this IApplicationBuilder app)
 
         private static async Task ValidateAsync(IServiceProvider services, ILogger logger)
         {
+            var options = services.GetRequiredService<IdentityServerOptions>();
             var schemes = services.GetRequiredService<IAuthenticationSchemeProvider>();
 
-            if (await schemes.GetDefaultAuthenticateSchemeAsync() == null)
+            if (await schemes.GetDefaultAuthenticateSchemeAsync() == null && options.Authentication.CookieAuthenticationScheme == null)
             {
-                logger.LogWarning("No default authentication scheme has been set. Setting a default scheme is required.");
+                logger.LogWarning("No authentication scheme has been set. Setting either a default authentication scheme or a CookieAuthenticationScheme on IdentityServerOptions is required.");
             }
             else
             {
-                logger.LogDebug("Using {scheme} as default scheme for authentication", (await schemes.GetDefaultAuthenticateSchemeAsync())?.Name);
-                logger.LogDebug("Using {scheme} as default scheme for sign-in", (await schemes.GetDefaultSignInSchemeAsync())?.Name);
-                logger.LogDebug("Using {scheme} as default scheme for sign-out", (await schemes.GetDefaultSignOutSchemeAsync())?.Name);
-                logger.LogDebug("Using {scheme} as default scheme for challenge", (await schemes.GetDefaultChallengeSchemeAsync())?.Name);
-                logger.LogDebug("Using {scheme} as default scheme for forbid", (await schemes.GetDefaultForbidSchemeAsync())?.Name);
+                if (options.Authentication.CookieAuthenticationScheme != null)
+                {
+                    logger.LogInformation("Using explicitly configured scheme {scheme} for IdentityServer", options.Authentication.CookieAuthenticationScheme);
+                }
+
+                logger.LogDebug("Using {scheme} as default ASP.NET Core scheme for authentication", (await schemes.GetDefaultAuthenticateSchemeAsync())?.Name);
+                logger.LogDebug("Using {scheme} as default ASP.NET Core scheme for sign-in", (await schemes.GetDefaultSignInSchemeAsync())?.Name);
+                logger.LogDebug("Using {scheme} as default ASP.NET Core scheme for sign-out", (await schemes.GetDefaultSignOutSchemeAsync())?.Name);
+                logger.LogDebug("Using {scheme} as default ASP.NET Core scheme for challenge", (await schemes.GetDefaultChallengeSchemeAsync())?.Name);
+                logger.LogDebug("Using {scheme} as default ASP.NET Core scheme for forbid", (await schemes.GetDefaultForbidSchemeAsync())?.Name);
             }
         }
 
@@ -106,9 +112,10 @@ private static void ValidateOptions(IdentityServerOptions options, ILogger logge
                 logger.LogDebug("PublicOrigin explicitly set to {0}", options.PublicOrigin);
             }
 
-            if (options.UserInteraction.LoginUrl.IsMissing()) throw new InvalidOperationException("LoginUrl is not configured");
-            if (options.UserInteraction.LoginReturnUrlParameter.IsMissing()) throw new InvalidOperationException("LoginReturnUrlParameter is not configured");
-            if (options.UserInteraction.LogoutUrl.IsMissing()) throw new InvalidOperationException("LogoutUrl is not configured");
+            // todo: perhaps different logging messages?
+            //if (options.UserInteraction.LoginUrl.IsMissing()) throw new InvalidOperationException("LoginUrl is not configured");
+            //if (options.UserInteraction.LoginReturnUrlParameter.IsMissing()) throw new InvalidOperationException("LoginReturnUrlParameter is not configured");
+            //if (options.UserInteraction.LogoutUrl.IsMissing()) throw new InvalidOperationException("LogoutUrl is not configured");
             if (options.UserInteraction.LogoutIdParameter.IsMissing()) throw new InvalidOperationException("LogoutIdParameter is not configured");
             if (options.UserInteraction.ErrorUrl.IsMissing()) throw new InvalidOperationException("ErrorUrl is not configured");
             if (options.UserInteraction.ErrorIdParameter.IsMissing()) throw new InvalidOperationException("ErrorIdParameter is not configured");

SourceLink/IdentityServer4/Constants.cs

@@ -14,7 +14,6 @@ internal static class Constants
         public const string IdentityServerName               = "IdentityServer4";
         public const string IdentityServerAuthenticationType = IdentityServerName;
         public const string ExternalAuthenticationMethod     = "external";
-        public const string AccessTokenAudience              = "{0}resources";
         public const string DefaultHashAlgorithm             = "SHA256";
 
         public static readonly TimeSpan DefaultCookieTimeSpan = TimeSpan.FromHours(10);

SourceLink/IdentityServer4/Endpoints/Results/CustomRedirectResult.cs

@@ -1,4 +1,4 @@
-// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.
+// Copyright (c) Brock Allen & Dominick Baier. All rights reserved.
 // Licensed under the Apache License, Version 2.0. See LICENSE in the project root for license information.
 
 
@@ -66,7 +66,7 @@ public Task ExecuteAsync(HttpContext context)
         {
             Init(context);
 
-            var returnUrl = context.Request.PathBase.ToString().EnsureTrailingSlash() + Constants.ProtocolRoutePaths.Authorize;
+            var returnUrl = context.GetIdentityServerBasePath().EnsureTrailingSlash() + Constants.ProtocolRoutePaths.Authorize;
             returnUrl = returnUrl.AddQueryString(_request.Raw.ToQueryString());
 
             if (!_url.IsLocalUrl())