Added additional OpenId Introspection/Revocation endpoints and PKCE to the OpenID Settings and Application UI pages

src/OrchardCore.Cms.Web/.config/dotnet-tools.json

@@ -0,0 +1,12 @@
+{
+  "version": 1,
+  "isRoot": true,
+  "tools": {
+    "dotnet-ef": {
+      "version": "6.0.5",
+      "commands": [
+        "dotnet-ef"
+      ]
+    }
+  }
+}

src/OrchardCore.Cms.Web/Properties/launchSettings.json

@@ -3,7 +3,7 @@
     "windowsAuthentication": false,
     "anonymousAuthentication": true,
     "iisExpress": {
-      "applicationUrl": "http://localhost:2918",
+      "applicationUrl": "http://localhost:2919",
       "sslPort": 44300
     }
   },
@@ -25,4 +25,4 @@
       "applicationUrl": "https://localhost:5001;http://localhost:5000"
     }
   }
-}
+}

src/OrchardCore.Modules/OrchardCore.OpenId/Configuration/OpenIdServerConfiguration.cs

@@ -89,7 +89,15 @@ public void Configure(OpenIddictServerOptions options)
             }
             if (settings.UserinfoEndpointPath.HasValue)
             {
-                options.UserinfoEndpointUris.Add(new Uri(settings.UserinfoEndpointPath.Value, UriKind.Relative));
+                options.UserinfoEndpointUris.Add(new Uri(settings.UserinfoEndpointPath.Value, UriKind.Relative));                
+            }
+            if (settings.IntrospectionEndpointPath.HasValue)
+            {
+                options.IntrospectionEndpointUris.Add(new Uri(settings.IntrospectionEndpointPath.Value, UriKind.Relative));
+            }
+            if (settings.RevocationEndpointPath.HasValue)
+            {
+                options.RevocationEndpointUris.Add(new Uri(settings.RevocationEndpointPath.Value, UriKind.Relative));
             }
 
             // For now, response types and response modes are not directly
@@ -146,6 +154,8 @@ public void Configure(OpenIddictServerOptions options)
                 options.Scopes.Add(Scopes.OfflineAccess);
             }
 
+            options.RequireProofKeyForCodeExchange = settings.RequireProofKeyForCodeExchange;
+
             options.Scopes.Add(Scopes.Email);
             options.Scopes.Add(Scopes.Phone);
             options.Scopes.Add(Scopes.Profile);

src/OrchardCore.Modules/OrchardCore.OpenId/Controllers/ApplicationController.cs

@@ -163,9 +163,11 @@ public async Task<IActionResult> Create(CreateOpenIdApplicationViewModel model,
                 AllowClientCredentialsFlow = model.AllowClientCredentialsFlow,
                 AllowHybridFlow = model.AllowHybridFlow,
                 AllowImplicitFlow = model.AllowImplicitFlow,
+                AllowIntrospectionEndpoint = model.AllowIntrospectionEndpoint,
                 AllowLogoutEndpoint = model.AllowLogoutEndpoint,
                 AllowPasswordFlow = model.AllowPasswordFlow,
                 AllowRefreshTokenFlow = model.AllowRefreshTokenFlow,
+                AllowRevocationEndpoint = model.AllowRevocationEndpoint,
                 ClientId = model.ClientId,
                 ClientSecret = model.ClientSecret,
                 ConsentType = model.ConsentType,
@@ -174,7 +176,8 @@ public async Task<IActionResult> Create(CreateOpenIdApplicationViewModel model,
                 RedirectUris = model.RedirectUris,
                 Roles = model.RoleEntries.Where(x => x.Selected).Select(x => x.Name).ToArray(),
                 Scopes = model.ScopeEntries.Where(x => x.Selected).Select(x => x.Name).ToArray(),
-                Type = model.Type
+                Type = model.Type,
+                RequireProofKeyForCodeExchange = model.RequireProofKeyForCodeExchange
             };
 
             await _applicationManager.UpdateDescriptorFromSettings(settings);
@@ -201,6 +204,7 @@ public async Task<IActionResult> Edit(string id, string returnUrl = null)
             }
 
             ValueTask<bool> HasPermissionAsync(string permission) => _applicationManager.HasPermissionAsync(application, permission);
+            ValueTask<bool> HasRequirementAsync(string requirement) => _applicationManager.HasRequirementAsync(application, requirement);
 
             var model = new EditOpenIdApplicationViewModel
             {
@@ -226,13 +230,16 @@ await HasPermissionAsync(OpenIddictConstants.Permissions.ResponseTypes.Token)),
                 AllowPasswordFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.Password),
                 AllowRefreshTokenFlow = await HasPermissionAsync(OpenIddictConstants.Permissions.GrantTypes.RefreshToken),
                 AllowLogoutEndpoint = await HasPermissionAsync(OpenIddictConstants.Permissions.Endpoints.Logout),
+                AllowIntrospectionEndpoint = await HasPermissionAsync(OpenIddictConstants.Permissions.Endpoints.Introspection),
+                AllowRevocationEndpoint = await HasPermissionAsync(OpenIddictConstants.Permissions.Endpoints.Revocation),
                 ClientId = await _applicationManager.GetClientIdAsync(application),
                 ConsentType = await _applicationManager.GetConsentTypeAsync(application),
                 DisplayName = await _applicationManager.GetDisplayNameAsync(application),
                 Id = await _applicationManager.GetPhysicalIdAsync(application),
                 PostLogoutRedirectUris = string.Join(" ", await _applicationManager.GetPostLogoutRedirectUrisAsync(application)),
                 RedirectUris = string.Join(" ", await _applicationManager.GetRedirectUrisAsync(application)),
-                Type = await _applicationManager.GetClientTypeAsync(application)
+                Type = await _applicationManager.GetClientTypeAsync(application),
+                RequireProofKeyForCodeExchange = await HasRequirementAsync(OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange)
             };
 
             var roleService = HttpContext.RequestServices?.GetService<IRoleService>();
@@ -322,9 +329,11 @@ await _applicationManager.GetIdAsync(application), StringComparison.Ordinal))
                 AllowClientCredentialsFlow = model.AllowClientCredentialsFlow,
                 AllowHybridFlow = model.AllowHybridFlow,
                 AllowImplicitFlow = model.AllowImplicitFlow,
+                AllowIntrospectionEndpoint = model.AllowIntrospectionEndpoint,
                 AllowLogoutEndpoint = model.AllowLogoutEndpoint,
                 AllowPasswordFlow = model.AllowPasswordFlow,
                 AllowRefreshTokenFlow = model.AllowRefreshTokenFlow,
+                AllowRevocationEndpoint = model.AllowRevocationEndpoint,
                 ClientId = model.ClientId,
                 ClientSecret = model.ClientSecret,
                 ConsentType = model.ConsentType,
@@ -333,7 +342,8 @@ await _applicationManager.GetIdAsync(application), StringComparison.Ordinal))
                 RedirectUris = model.RedirectUris,
                 Roles = model.RoleEntries.Where(x => x.Selected).Select(x => x.Name).ToArray(),
                 Scopes = model.ScopeEntries.Where(x => x.Selected).Select(x => x.Name).ToArray(),
-                Type = model.Type
+                Type = model.Type,
+                RequireProofKeyForCodeExchange = model.RequireProofKeyForCodeExchange
             };
 
             await _applicationManager.UpdateDescriptorFromSettings(settings, application);

src/OrchardCore.Modules/OrchardCore.OpenId/Deployment/OpenIdServerDeploymentSource.cs

@@ -47,6 +47,8 @@ public async Task ProcessDeploymentStepAsync(DeploymentStep step, DeploymentPlan
                 EnableLogoutEndpoint = !string.IsNullOrWhiteSpace(settings.LogoutEndpointPath),
                 EnableTokenEndpoint = !string.IsNullOrWhiteSpace(settings.TokenEndpointPath),
                 EnableUserInfoEndpoint = !string.IsNullOrWhiteSpace(settings.UserinfoEndpointPath),
+                EnableIntrospectionEndpoint = !string.IsNullOrWhiteSpace(settings.IntrospectionEndpointPath),
+                EnableRevocationEndpoint = !string.IsNullOrWhiteSpace(settings.RevocationEndpointPath),
 
                 AllowAuthorizationCodeFlow = settings.AllowAuthorizationCodeFlow,
                 AllowClientCredentialsFlow = settings.AllowClientCredentialsFlow,
@@ -58,6 +60,7 @@ public async Task ProcessDeploymentStepAsync(DeploymentStep step, DeploymentPlan
                 DisableAccessTokenEncryption = settings.DisableAccessTokenEncryption,
                 DisableRollingRefreshTokens = settings.DisableRollingRefreshTokens,
                 UseReferenceAccessTokens = settings.UseReferenceAccessTokens,
+                RequireProofKeyForCodeExchange = settings.RequireProofKeyForCodeExchange,                
             };
 
             // Use nameof(OpenIdServerSettings) as name,

src/OrchardCore.Modules/OrchardCore.OpenId/Drivers/OpenIdServerSettingsDisplayDriver.cs

@@ -35,6 +35,8 @@ public override Task<IDisplayResult> EditAsync(OpenIdServerSettings settings, Bu
                 model.EnableLogoutEndpoint = settings.LogoutEndpointPath.HasValue;
                 model.EnableTokenEndpoint = settings.TokenEndpointPath.HasValue;
                 model.EnableUserInfoEndpoint = settings.UserinfoEndpointPath.HasValue;
+                model.EnableIntrospectionEndpoint = settings.IntrospectionEndpointPath.HasValue;
+                model.EnableRevocationEndpoint = settings.RevocationEndpointPath.HasValue;
 
                 model.AllowAuthorizationCodeFlow = settings.AllowAuthorizationCodeFlow;
                 model.AllowClientCredentialsFlow = settings.AllowClientCredentialsFlow;
@@ -46,6 +48,7 @@ public override Task<IDisplayResult> EditAsync(OpenIdServerSettings settings, Bu
                 model.DisableAccessTokenEncryption = settings.DisableAccessTokenEncryption;
                 model.DisableRollingRefreshTokens = settings.DisableRollingRefreshTokens;
                 model.UseReferenceAccessTokens = settings.UseReferenceAccessTokens;
+                model.RequireProofKeyForCodeExchange = settings.RequireProofKeyForCodeExchange;
 
                 foreach (var (certificate, location, name) in await _serverService.GetAvailableCertificatesAsync())
                 {
@@ -89,6 +92,10 @@ public override async Task<IDisplayResult> UpdateAsync(OpenIdServerSettings sett
                 new PathString("/connect/token") : PathString.Empty;
             settings.UserinfoEndpointPath = model.EnableUserInfoEndpoint ?
                 new PathString("/connect/userinfo") : PathString.Empty;
+            settings.IntrospectionEndpointPath = model.EnableIntrospectionEndpoint ?
+                new PathString("/connect/introspect") : PathString.Empty;
+            settings.RevocationEndpointPath = model.EnableRevocationEndpoint ?
+                new PathString("/connect/revoke") : PathString.Empty;
 
             settings.AllowAuthorizationCodeFlow = model.AllowAuthorizationCodeFlow;
             settings.AllowClientCredentialsFlow = model.AllowClientCredentialsFlow;
@@ -100,6 +107,7 @@ public override async Task<IDisplayResult> UpdateAsync(OpenIdServerSettings sett
             settings.DisableAccessTokenEncryption = model.DisableAccessTokenEncryption;
             settings.DisableRollingRefreshTokens = model.DisableRollingRefreshTokens;
             settings.UseReferenceAccessTokens = model.UseReferenceAccessTokens;
+            settings.RequireProofKeyForCodeExchange = model.RequireProofKeyForCodeExchange;
 
             return await EditAsync(settings, context);
         }

src/OrchardCore.Modules/OrchardCore.OpenId/OpenIdApplicationExtensions.cs

@@ -27,6 +27,9 @@ public class OpenIdApplicationSettings
         public bool AllowHybridFlow { get; set; }
         public bool AllowImplicitFlow { get; set; }
         public bool AllowLogoutEndpoint { get; set; }
+        public bool AllowIntrospectionEndpoint { get; set; }
+        public bool AllowRevocationEndpoint { get; set; }
+        public bool RequireProofKeyForCodeExchange { get; set; }
     }
 
     internal static class OpenIdApplicationExtensions
@@ -179,6 +182,31 @@ public static async Task UpdateDescriptorFromSettings(this IOpenIdApplicationMan
                 descriptor.Permissions.Remove(OpenIddictConstants.Permissions.ResponseTypes.CodeIdTokenToken);
                 descriptor.Permissions.Remove(OpenIddictConstants.Permissions.ResponseTypes.CodeToken);
             }
+            if (model.AllowIntrospectionEndpoint)
+            {
+                descriptor.Permissions.Add(OpenIddictConstants.Permissions.Endpoints.Introspection);
+            }
+            else
+            {
+                descriptor.Permissions.Remove(OpenIddictConstants.Permissions.Endpoints.Introspection);
+            }
+            if (model.AllowRevocationEndpoint)
+            {
+                descriptor.Permissions.Add(OpenIddictConstants.Permissions.Endpoints.Revocation);
+            }
+            else
+            {
+                descriptor.Permissions.Remove(OpenIddictConstants.Permissions.Endpoints.Revocation);
+            }
+
+            if (model.RequireProofKeyForCodeExchange)
+            {
+                descriptor.Requirements.Add(OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange);
+            }
+            else
+            {
+                descriptor.Requirements.Remove(OpenIddictConstants.Requirements.Features.ProofKeyForCodeExchange);
+            }
 
             descriptor.Roles.Clear();
 

src/OrchardCore.Modules/OrchardCore.OpenId/Recipes/OpenIdApplicationStep.cs

@@ -37,9 +37,11 @@ public async Task ExecuteAsync(RecipeExecutionContext context)
                 AllowClientCredentialsFlow = model.AllowClientCredentialsFlow,
                 AllowHybridFlow = model.AllowHybridFlow,
                 AllowImplicitFlow = model.AllowImplicitFlow,
+                AllowIntrospectionEndpoint = model.AllowIntrospectionEndpoint,
                 AllowLogoutEndpoint = model.AllowLogoutEndpoint,
                 AllowPasswordFlow = model.AllowPasswordFlow,
                 AllowRefreshTokenFlow = model.AllowRefreshTokenFlow,
+                AllowRevocationEndpoint = model.AllowRevocationEndpoint,
                 ClientId = model.ClientId,
                 ClientSecret = model.ClientSecret,
                 ConsentType = model.ConsentType,
@@ -48,7 +50,8 @@ public async Task ExecuteAsync(RecipeExecutionContext context)
                 RedirectUris = model.RedirectUris,
                 Roles = model.RoleEntries.Select(x => x.Name).ToArray(),
                 Scopes = model.ScopeEntries.Select(x => x.Name).ToArray(),
-                Type = model.Type
+                Type = model.Type,
+                RequireProofKeyForCodeExchange = model.RequireProofKeyForCodeExchange,
             };
 
             await _applicationManager.UpdateDescriptorFromSettings(settings, app);

src/OrchardCore.Modules/OrchardCore.OpenId/Recipes/OpenIdApplicationStepModel.cs

@@ -20,6 +20,9 @@ public class OpenIdApplicationStepModel
         public bool AllowHybridFlow { get; set; }
         public bool AllowImplicitFlow { get; set; }
         public bool AllowLogoutEndpoint { get; set; }
+        public bool AllowIntrospectionEndpoint { get; set; }
+        public bool AllowRevocationEndpoint { get; set; }
+        public bool RequireProofKeyForCodeExchange { get; set; }
 
         public class RoleEntry
         {

src/OrchardCore.Modules/OrchardCore.OpenId/Recipes/OpenIdServerSettingsStep.cs

@@ -47,6 +47,10 @@ public async Task ExecuteAsync(RecipeExecutionContext context)
                 new PathString("/connect/token") : PathString.Empty;
             settings.UserinfoEndpointPath = model.EnableUserInfoEndpoint ?
                 new PathString("/connect/userinfo") : PathString.Empty;
+            settings.IntrospectionEndpointPath = model.EnableIntrospectionEndpoint ?
+                new PathString("/connect/introspect") : PathString.Empty;
+            settings.RevocationEndpointPath = model.EnableRevocationEndpoint ?
+                new PathString("/connect/revoke") : PathString.Empty;
 
             settings.AllowAuthorizationCodeFlow = model.AllowAuthorizationCodeFlow;
             settings.AllowClientCredentialsFlow = model.AllowClientCredentialsFlow;
@@ -58,6 +62,7 @@ public async Task ExecuteAsync(RecipeExecutionContext context)
             settings.DisableAccessTokenEncryption = model.DisableAccessTokenEncryption;
             settings.DisableRollingRefreshTokens = model.DisableRollingRefreshTokens;
             settings.UseReferenceAccessTokens = model.UseReferenceAccessTokens;
+            settings.RequireProofKeyForCodeExchange = model.RequireProofKeyForCodeExchange;
 
             await _serverService.UpdateSettingsAsync(settings);
         }

src/OrchardCore.Modules/OrchardCore.OpenId/Recipes/OpenIdServerSettingsStepModel.cs

@@ -20,13 +20,16 @@ public class OpenIdServerSettingsStepModel
         public bool EnableAuthorizationEndpoint { get; set; }
         public bool EnableLogoutEndpoint { get; set; }
         public bool EnableUserInfoEndpoint { get; set; }
+        public bool EnableIntrospectionEndpoint { get; set; }
+        public bool EnableRevocationEndpoint { get; set; }
         public bool AllowPasswordFlow { get; set; }
         public bool AllowClientCredentialsFlow { get; set; }
         public bool AllowAuthorizationCodeFlow { get; set; }
         public bool AllowRefreshTokenFlow { get; set; }
         public bool AllowHybridFlow { get; set; }
         public bool AllowImplicitFlow { get; set; }
         public bool DisableRollingRefreshTokens { get; set; }
+        public bool RequireProofKeyForCodeExchange { get; set; }
 
         public bool UseReferenceAccessTokens { get; set; }
     }

src/OrchardCore.Modules/OrchardCore.OpenId/Services/OpenIdServerService.cs

@@ -78,7 +78,9 @@ private OpenIdServerSettings GetSettingsFromContainer(ISite container)
                 AuthorizationEndpointPath = "/connect/authorize",
                 LogoutEndpointPath = "/connect/logout",
                 TokenEndpointPath = "/connect/token",
-                UserinfoEndpointPath = "/connect/userinfo"
+                UserinfoEndpointPath = "/connect/userinfo",
+                IntrospectionEndpointPath = "/connect/introspect",
+                RevocationEndpointPath = "/connect/revoke",
             };
         }
 

src/OrchardCore.Modules/OrchardCore.OpenId/Settings/OpenIdServerSettings.cs

@@ -25,6 +25,10 @@ public class OpenIdServerSettings
 
         public PathString UserinfoEndpointPath { get; set; }
 
+        public PathString IntrospectionEndpointPath { get; set; }
+
+        public PathString RevocationEndpointPath { get; set; }
+
         public bool AllowPasswordFlow { get; set; }
         public bool AllowClientCredentialsFlow { get; set; }
         public bool AllowAuthorizationCodeFlow { get; set; }
@@ -36,6 +40,8 @@ public class OpenIdServerSettings
 
         public bool UseReferenceAccessTokens { get; set; }
 
+        public bool RequireProofKeyForCodeExchange { get; set; }
+
         public enum TokenFormat
         {
             DataProtection = 0,

src/OrchardCore.Modules/OrchardCore.OpenId/ViewModels/CreateOpenIdApplicationViewModel.cs

@@ -29,6 +29,9 @@ public class CreateOpenIdApplicationViewModel : IValidatableObject
         public bool AllowHybridFlow { get; set; }
         public bool AllowImplicitFlow { get; set; }
         public bool AllowLogoutEndpoint { get; set; }
+        public bool AllowIntrospectionEndpoint { get; set; }
+        public bool AllowRevocationEndpoint { get; set; }
+        public bool RequireProofKeyForCodeExchange { get; set; }
 
         public IEnumerable<ValidationResult> Validate(ValidationContext validationContext) => ValidateUrls(validationContext, nameof(RedirectUris), RedirectUris)
             .Union(ValidateUrls(validationContext, nameof(PostLogoutRedirectUris), PostLogoutRedirectUris));

src/OrchardCore.Modules/OrchardCore.OpenId/ViewModels/EditOpenIdApplicationViewModel.cs

@@ -33,6 +33,9 @@ public class EditOpenIdApplicationViewModel : IValidatableObject
         public bool AllowHybridFlow { get; set; }
         public bool AllowImplicitFlow { get; set; }
         public bool AllowLogoutEndpoint { get; set; }
+        public bool AllowIntrospectionEndpoint { get; set; }
+        public bool AllowRevocationEndpoint { get; set; }
+        public bool RequireProofKeyForCodeExchange { get; set; }
 
         public IEnumerable<ValidationResult> Validate(ValidationContext validationContext) => ValidateUrls(validationContext, nameof(RedirectUris), RedirectUris)
                 .Union(ValidateUrls(validationContext, nameof(PostLogoutRedirectUris), PostLogoutRedirectUris));

src/OrchardCore.Modules/OrchardCore.OpenId/ViewModels/OpenIdServerSettingsViewModel.cs

@@ -24,6 +24,8 @@ public class OpenIdServerSettingsViewModel
         public bool EnableAuthorizationEndpoint { get; set; }
         public bool EnableLogoutEndpoint { get; set; }
         public bool EnableUserInfoEndpoint { get; set; }
+        public bool EnableIntrospectionEndpoint { get; set; }
+        public bool EnableRevocationEndpoint { get; set; }
         public bool AllowPasswordFlow { get; set; }
         public bool AllowClientCredentialsFlow { get; set; }
         public bool AllowAuthorizationCodeFlow { get; set; }
@@ -32,6 +34,7 @@ public class OpenIdServerSettingsViewModel
         public bool AllowImplicitFlow { get; set; }
         public bool DisableRollingRefreshTokens { get; set; }
         public bool UseReferenceAccessTokens { get; set; }
+        public bool RequireProofKeyForCodeExchange { get; set; }
 
         public class CertificateInfo
         {